From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id BB92E1FF137 for ; Tue, 14 Apr 2026 15:08:19 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 05E23195E3; Tue, 14 Apr 2026 15:09:09 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v3 11/30] api: config: add endpoints for encryption key manipulation Date: Tue, 14 Apr 2026 14:59:04 +0200 Message-ID: <20260414125923.892345-12-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260414125923.892345-1-c.ebner@proxmox.com> References: <20260414125923.892345-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776171499332 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.981 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [mod.rs,key.id] Message-ID-Hash: FYXDWIWJ525OD6FLJHJZL3OVNQT7ET2A X-Message-ID-Hash: FYXDWIWJ525OD6FLJHJZL3OVNQT7ET2A X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Defines the api endpoints for listing existing keys as defined in the config, create new keys and archive or remove keys. New keys are either generated on the server side or uploaded as json string. Password protected keys are currently not supported and will be added at a later stage, once a general mechanism for secrets handling is implemented for PBS. Keys are archived by setting the `archived-at` timestamp, marking them as no longer usable for encrypting new content with respective keys. Removing a key requires for it to be archived first. Further, is only possible when the key is no longer referenced by a sync job config, protecting from accidental deletion of an in-use key. Signed-off-by: Christian Ebner --- changes since version 2: - early detect unusable keys provided on key creation as upload via api. - list all associated sync jobs when checking with encryption_key_in_use(). src/api2/config/encryption_keys.rs | 219 +++++++++++++++++++++++++++++ src/api2/config/mod.rs | 2 + 2 files changed, 221 insertions(+) create mode 100644 src/api2/config/encryption_keys.rs diff --git a/src/api2/config/encryption_keys.rs b/src/api2/config/encryption_keys.rs new file mode 100644 index 000000000..d3097929d --- /dev/null +++ b/src/api2/config/encryption_keys.rs @@ -0,0 +1,219 @@ +use anyhow::{bail, format_err, Error}; +use serde_json::Value; + +use proxmox_router::{Permission, Router, RpcEnvironment}; +use proxmox_schema::api; + +use pbs_api_types::{ + Authid, CryptKey, SyncJobConfig, CRYPT_KEY_ID_SCHEMA, PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, + PROXMOX_CONFIG_DIGEST_SCHEMA, +}; + +use pbs_config::encryption_keys::{self, ENCRYPTION_KEYS_CFG_TYPE_ID}; +use pbs_config::CachedUserInfo; + +use pbs_key_config::KeyConfig; + +#[api( + input: { + properties: { + "include-archived": { + type: bool, + description: "List also keys which have been archived.", + optional: true, + default: false, + }, + }, + }, + returns: { + description: "List of configured encryption keys.", + type: Array, + items: { type: CryptKey }, + }, + access: { + permission: &Permission::Anybody, + description: "List configured encryption keys filtered by Sys.Audit privileges", + }, +)] +/// List configured encryption keys. +pub fn list_keys( + include_archived: bool, + _param: Value, + rpcenv: &mut dyn RpcEnvironment, +) -> Result, Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + + let (config, digest) = encryption_keys::config()?; + + let list: Vec = config.convert_to_typed_array(ENCRYPTION_KEYS_CFG_TYPE_ID)?; + let list = list + .into_iter() + .filter(|key| { + if !include_archived && key.archived_at.is_some() { + return false; + } + let privs = user_info.lookup_privs(&auth_id, &["system", "encryption-keys", &key.id]); + privs & PRIV_SYS_AUDIT != 0 + }) + .collect(); + + rpcenv["digest"] = hex::encode(digest).into(); + + Ok(list) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: CRYPT_KEY_ID_SCHEMA, + }, + key: { + description: "Use provided key instead of creating new one.", + type: String, + optional: true, + }, + }, + }, + access: { + permission: &Permission::Privilege(&["system", "encryption-keys"], PRIV_SYS_MODIFY, false), + }, +)] +/// Create new encryption key instance or use the provided one. +pub fn create_key( + id: String, + key: Option, + _rpcenv: &mut dyn RpcEnvironment, +) -> Result { + let key_config = if let Some(key) = &key { + let key_config: KeyConfig = serde_json::from_str(key) + .map_err(|err| format_err!("failed to parse provided key: {err}"))?; + // early detect unusable keys + if key_config.kdf.is_some() { + bail!("protected keys not supported"); + } + let _ = key_config + .decrypt(&|| Ok(Vec::new())) + .map_err(|err| format_err!("failed to load provided key: {err}"))?; + key_config + } else { + let mut raw_key = [0u8; 32]; + proxmox_sys::linux::fill_with_random_data(&mut raw_key)?; + KeyConfig::without_password(raw_key)? + }; + + encryption_keys::store_key(&id, &key_config)?; + + Ok(key_config) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: CRYPT_KEY_ID_SCHEMA, + }, + digest: { + optional: true, + schema: PROXMOX_CONFIG_DIGEST_SCHEMA, + }, + }, + }, + access: { + permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false), + }, +)] +/// Mark the key by given id as archived, no longer usable to encrypt contents. +pub fn archive_key( + id: String, + digest: Option, + _rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let _lock = encryption_keys::lock_config()?; + let (config, expected_digest) = encryption_keys::config()?; + + pbs_config::detect_modified_configuration_file(digest, &expected_digest)?; + + encryption_keys::archive_key(&id, config)?; + + Ok(()) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: CRYPT_KEY_ID_SCHEMA, + }, + digest: { + optional: true, + schema: PROXMOX_CONFIG_DIGEST_SCHEMA, + }, + }, + }, + access: { + permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false), + }, +)] +/// Remove encryption key. +pub fn delete_key( + id: String, + digest: Option, + _rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let _lock = encryption_keys::lock_config()?; + let (config, expected_digest) = encryption_keys::config()?; + + pbs_config::detect_modified_configuration_file(digest, &expected_digest)?; + + if let Some(job_ids) = encryption_key_in_use(&id) + .map_err(|_err| format_err!("failed to check if encryption key is in-use"))? + { + let plural = if job_ids.len() > 1 { "s" } else { "" }; + let ids = job_ids.join(", "); + bail!("encryption key in use by sync job{plural}: '{ids}'"); + } + + encryption_keys::delete_key(&id, config)?; + + Ok(()) +} + +// check which sync jobs are associated to given key id or hold it as active encryption key +fn encryption_key_in_use(id: &str) -> Result>, Error> { + let (config, _digest) = pbs_config::sync::config()?; + + let mut used_by_jobs = Vec::new(); + + let job_list: Vec = config.convert_to_typed_array("sync")?; + for job in job_list { + if job.active_encryption_key.as_deref() == Some(id) + || job + .associated_key + .as_deref() + .unwrap_or(&[]) + .contains(&id.to_string()) + { + used_by_jobs.push(job.id.clone()); + } + } + + if used_by_jobs.is_empty() { + Ok(None) + } else { + Ok(Some(used_by_jobs)) + } +} + +const ITEM_ROUTER: Router = Router::new() + .post(&API_METHOD_ARCHIVE_KEY) + .delete(&API_METHOD_DELETE_KEY); + +pub const ROUTER: Router = Router::new() + .get(&API_METHOD_LIST_KEYS) + .post(&API_METHOD_CREATE_KEY) + .match_all("id", &ITEM_ROUTER); diff --git a/src/api2/config/mod.rs b/src/api2/config/mod.rs index 1cd9ead76..0281bcfae 100644 --- a/src/api2/config/mod.rs +++ b/src/api2/config/mod.rs @@ -9,6 +9,7 @@ pub mod acme; pub mod changer; pub mod datastore; pub mod drive; +pub mod encryption_keys; pub mod media_pool; pub mod metrics; pub mod notifications; @@ -28,6 +29,7 @@ const SUBDIRS: SubdirMap = &sorted!([ ("changer", &changer::ROUTER), ("datastore", &datastore::ROUTER), ("drive", &drive::ROUTER), + ("encryption-keys", &encryption_keys::ROUTER), ("media-pool", &media_pool::ROUTER), ("metrics", &metrics::ROUTER), ("notifications", ¬ifications::ROUTER), -- 2.47.3