From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A67931FF136 for ; Mon, 20 Apr 2026 18:16:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 881C391AE; Mon, 20 Apr 2026 18:16:39 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v4 13/30] api: config: allow encryption key manipulation for sync job Date: Mon, 20 Apr 2026 18:15:16 +0200 Message-ID: <20260420161533.1055484-14-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com> References: <20260420161533.1055484-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776701665616 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: LXNIOVOHOGBTQ7ZU735IVMETUOIGF3CC X-Message-ID-Hash: LXNIOVOHOGBTQ7ZU735IVMETUOIGF3CC X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Since the SyncJobConfig got extended to include an optional active encryption key, set the default to none. Extend the api config update handler to also set, update or delete the active encryption key based on the provided parameters. Associated keys will also be updated accordingly, however it is assured that the previously active key will remain associated, if changed. They encryption key will be used to encrypt unencrypted backup snapshots during push sync. Any of the associated keys will be used to decrypt snapshots with matching key fingerprint during pull sync. During updates to active encryption key, associated keys and/or owner assure access to keys is granted for respective sync job owner. Signed-off-by: Christian Ebner --- src/api2/config/sync.rs | 84 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 81 insertions(+), 3 deletions(-) diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs index 75b99c2a7..8208d5226 100644 --- a/src/api2/config/sync.rs +++ b/src/api2/config/sync.rs @@ -330,6 +330,22 @@ pub fn read_sync_job(id: String, rpcenv: &mut dyn RpcEnvironment) -> Result, + associated_keys: &mut Option>, +) { + if let Some(prev) = current_active { + match associated_keys { + Some(ref mut keys) => { + if !keys.contains(prev) { + keys.push(prev.clone()); + } + } + None => *associated_keys = Some(vec![prev.clone()]), + } + } +} + #[api()] #[derive(Serialize, Deserialize)] #[serde(rename_all = "kebab-case")] @@ -373,6 +389,10 @@ pub enum DeletableProperty { UnmountOnDone, /// Delete the sync_direction property, SyncDirection, + /// Delete the active encryption key property, + ActiveEncryptionKey, + /// Delete associated key property, + AssociatedKey, } #[api( @@ -414,7 +434,7 @@ required sync job owned by user. Additionally, remove vanished requires RemoteDa #[allow(clippy::too_many_arguments)] pub fn update_sync_job( id: String, - update: SyncJobConfigUpdater, + mut update: SyncJobConfigUpdater, delete: Option>, digest: Option, rpcenv: &mut dyn RpcEnvironment, @@ -437,6 +457,9 @@ pub fn update_sync_job( } if let Some(delete) = delete { + // temporarily hold the previosly active key in case of updates, + // so it can be readded as associated key afterwards. + let mut previous_active_encryption_key = None; for delete_prop in delete { match delete_prop { DeletableProperty::Remote => { @@ -496,8 +519,23 @@ pub fn update_sync_job( DeletableProperty::SyncDirection => { data.sync_direction = None; } + DeletableProperty::ActiveEncryptionKey => { + // Previously active encryption keys are always rotated to + // become an associated key in order to hinder unintended + // deletion (e.g. key got rotated for the push, but it still + // is intended to be used for restore/pull existing snapshots). + previous_active_encryption_key = data.active_encryption_key.take(); + } + DeletableProperty::AssociatedKey => { + // Previous active encryption key might be added as associated below. + data.associated_key = None; + } } } + keep_previous_key_as_associated( + previous_active_encryption_key.as_ref(), + &mut data.associated_key, + ); } if let Some(comment) = update.comment { @@ -524,8 +562,18 @@ pub fn update_sync_job( if let Some(remote_ns) = update.remote_ns { data.remote_ns = Some(remote_ns); } - if let Some(owner) = update.owner { - data.owner = Some(owner); + if let Some(owner) = &update.owner { + data.owner = Some(owner.clone()); + // must assure new owner can access pre-configured keys, other cases are + // checked on respective key updates + if update.active_encryption_key.is_none() { + sync_user_can_access_optional_key(data.active_encryption_key.as_deref(), owner, true)?; + } + if update.associated_key.is_none() { + for key in data.associated_key.as_deref().unwrap_or(&[]) { + sync_user_can_access_optional_key(Some(key), owner, true)?; + } + } } if let Some(group_filter) = update.group_filter { data.group_filter = Some(group_filter); @@ -555,6 +603,34 @@ pub fn update_sync_job( data.sync_direction = Some(sync_direction); } + if let Some(active_encryption_key) = update.active_encryption_key { + // owner updated above already, so can use the one in data + let owner = data + .owner + .as_ref() + .unwrap_or_else(|| Authid::root_auth_id()); + sync_user_can_access_optional_key(Some(&active_encryption_key), owner, true)?; + + keep_previous_key_as_associated( + data.active_encryption_key.as_ref(), + &mut update.associated_key, + ); + data.active_encryption_key = Some(active_encryption_key); + } + + if let Some(associated_key) = update.associated_key { + // owner updated above already, so can use the one in data + let owner = data + .owner + .as_ref() + .unwrap_or_else(|| Authid::root_auth_id()); + // Don't allow associating keys the local user/owner can't access + for key in &associated_key { + sync_user_can_access_optional_key(Some(key), owner, false)?; + } + data.associated_key = Some(associated_key); + } + if update.limit.rate_in.is_some() { data.limit.rate_in = update.limit.rate_in; } @@ -727,6 +803,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator run_on_mount: None, unmount_on_done: None, sync_direction: None, // use default + active_encryption_key: None, + associated_key: None, }; // should work without ACLs -- 2.47.3