From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id CB3051FF13A for ; Wed, 01 Apr 2026 09:55:41 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B79E410B59; Wed, 1 Apr 2026 09:55:54 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup 07/20] api: config: add endpoints for encryption key manipulation Date: Wed, 1 Apr 2026 09:55:08 +0200 Message-ID: <20260401075521.176354-8-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260401075521.176354-1-c.ebner@proxmox.com> References: <20260401075521.176354-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775030088385 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.936 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: Z6KRLXKB2W2HHT7BPLGWY2EB7HGHGC5A X-Message-ID-Hash: Z6KRLXKB2W2HHT7BPLGWY2EB7HGHGC5A X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Defines the api endpoints for listing existing keys as defined in the config and create new keys. Signed-off-by: Christian Ebner --- src/api2/config/encryption_keys.rs | 115 +++++++++++++++++++++++++++++ src/api2/config/mod.rs | 2 + 2 files changed, 117 insertions(+) create mode 100644 src/api2/config/encryption_keys.rs diff --git a/src/api2/config/encryption_keys.rs b/src/api2/config/encryption_keys.rs new file mode 100644 index 000000000..bc3ee2908 --- /dev/null +++ b/src/api2/config/encryption_keys.rs @@ -0,0 +1,115 @@ +use anyhow::{format_err, Error}; +use serde_json::Value; + +use proxmox_router::{Permission, Router, RpcEnvironment}; +use proxmox_schema::api; + +use pbs_api_types::{ + Authid, EncryptionKey, ENCRYPTION_KEY_ID_SCHEMA, PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, +}; + +use pbs_config::encryption_keys::{self, ENCRYPTION_KEYS_CFG_TYPE_ID}; +use pbs_config::CachedUserInfo; + +use pbs_key_config::KeyConfig; + +#[api( + input: { + properties: {}, + }, + returns: { + description: "List of configured encryption keys.", + type: Array, + items: { type: EncryptionKey }, + }, + access: { + permission: &Permission::Anybody, + description: "List configured encryption keys filtered by Sys.Audit privileges", + }, +)] +/// List configured encryption keys. +pub fn list_keys( + _param: Value, + rpcenv: &mut dyn RpcEnvironment, +) -> Result, Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + + let (config, digest) = encryption_keys::config()?; + + let list: Vec = config.convert_to_typed_array(ENCRYPTION_KEYS_CFG_TYPE_ID)?; + let list = list + .into_iter() + .filter(|key| { + let privs = user_info.lookup_privs(&auth_id, &["system", "encryption-keys", &key.id]); + privs & PRIV_SYS_AUDIT != 0 + }) + .collect(); + + rpcenv["digest"] = hex::encode(digest).into(); + + Ok(list) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: ENCRYPTION_KEY_ID_SCHEMA, + }, + key: { + description: "Use provided key instead of creating new one.", + type: String, + optional: true, + }, + }, + }, + access: { + permission: &Permission::Privilege(&["system", "encryption-keys"], PRIV_SYS_MODIFY, false), + }, +)] +/// Create new encryption key instance or use the provided one. +pub fn create_key( + id: String, + key: Option, + _rpcenv: &mut dyn RpcEnvironment, +) -> Result { + let key_config = if let Some(key) = &key { + serde_json::from_str(key) + .map_err(|err| format_err!("failed to parse provided key: {err}"))? + } else { + let mut raw_key = [0u8; 32]; + proxmox_sys::linux::fill_with_random_data(&mut raw_key)?; + KeyConfig::without_password(raw_key)? + }; + + encryption_keys::store_key(&id, &key_config)?; + + Ok(key_config) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: ENCRYPTION_KEY_ID_SCHEMA, + }, + }, + }, + access: { + permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false), + }, +)] +/// Remove encryption key (makes the key unusable, but keeps a backup). +pub fn delete_key(id: String, _rpcenv: &mut dyn RpcEnvironment) -> Result<(), Error> { + encryption_keys::delete_key(&id).map_err(|err| format_err!("failed to delete key: {err}")) +} + +const ITEM_ROUTER: Router = Router::new().delete(&API_METHOD_DELETE_KEY); + +pub const ROUTER: Router = Router::new() + .get(&API_METHOD_LIST_KEYS) + .post(&API_METHOD_CREATE_KEY) + .match_all("id", &ITEM_ROUTER); diff --git a/src/api2/config/mod.rs b/src/api2/config/mod.rs index 1cd9ead76..0281bcfae 100644 --- a/src/api2/config/mod.rs +++ b/src/api2/config/mod.rs @@ -9,6 +9,7 @@ pub mod acme; pub mod changer; pub mod datastore; pub mod drive; +pub mod encryption_keys; pub mod media_pool; pub mod metrics; pub mod notifications; @@ -28,6 +29,7 @@ const SUBDIRS: SubdirMap = &sorted!([ ("changer", &changer::ROUTER), ("datastore", &datastore::ROUTER), ("drive", &drive::ROUTER), + ("encryption-keys", &encryption_keys::ROUTER), ("media-pool", &media_pool::ROUTER), ("metrics", &metrics::ROUTER), ("notifications", ¬ifications::ROUTER), -- 2.47.3