From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B8E5D1FF136 for ; Mon, 20 Apr 2026 18:16:32 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EBAC68B40; Mon, 20 Apr 2026 18:16:24 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v4 28/30] sync: pull: decrypt snapshots with matching encryption key fingerprint Date: Mon, 20 Apr 2026 18:15:31 +0200 Message-ID: <20260420161533.1055484-29-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com> References: <20260420161533.1055484-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776701669462 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: AIJQKQ7Y4WHSO3OIUE5PNTT3Q4G2IJAJ X-Message-ID-Hash: AIJQKQ7Y4WHSO3OIUE5PNTT3Q4G2IJAJ X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Decrypt any backup snapshot during pull which was encrypted with a matching encryption key. Matching of keys is performed by comparing the fingerprint of the key as stored in the source manifest and the key configured for the pull sync jobs. If matching, pass along the key's crypto config to the index and chunk readers and write the local files unencrypted instead of simply downloading them. A new manifest file is written instead of the original one and files registered accordingly. If the local snapshot already exists (resync), refuse to sync without decryption if the target snapshot is unencrypted, the source however encrypted. To detect file changes for resync, compare the file change fingerprint calculated on the decrypted files before push sync with encryption. Signed-off-by: Christian Ebner --- src/server/pull.rs | 104 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 99 insertions(+), 5 deletions(-) diff --git a/src/server/pull.rs b/src/server/pull.rs index aeb82af99..c5924e82b 100644 --- a/src/server/pull.rs +++ b/src/server/pull.rs @@ -11,6 +11,9 @@ use std::time::SystemTime; use anyhow::{bail, format_err, Context, Error}; use pbs_tools::crypt_config::CryptConfig; use proxmox_human_byte::HumanByte; +use serde_json::Value; +use tokio::fs::OpenOptions; +use tokio::io::AsyncWriteExt; use tracing::{info, warn}; use pbs_api_types::{ @@ -457,12 +460,23 @@ async fn pull_single_archive<'a>( ) .await?; if let Some(DecryptedIndexWriter::Dynamic(index)) = &new_index_writer { - let _csum = index.lock().unwrap().close()?; + let csum = index.lock().unwrap().close()?; // For both cases, with and without rewriting the index the final index is // persisted with a rename of the tempfile. Therefore, overwrite current // tempfile here so it will be finally persisted instead. std::fs::rename(&path, &tmp_path)?; + + if let Some(new_manifest) = new_manifest { + let name = archive_name.as_str().try_into()?; + // size is identical to original, encrypted index + new_manifest.lock().unwrap().add_file( + &name, + size, + csum, + CryptMode::None, + )?; + } } sync_stats.add(stats); @@ -497,12 +511,23 @@ async fn pull_single_archive<'a>( ) .await?; if let Some(DecryptedIndexWriter::Fixed(index)) = &new_index_writer { - let _csum = index.lock().unwrap().close()?; + let csum = index.lock().unwrap().close()?; // For both cases, with and without rewriting the index the final index is // persisted with a rename of the tempfile. Therefore, overwrite current // tempfile here so it will be finally persisted instead. std::fs::rename(&path, &tmp_path)?; + + if let Some(new_manifest) = new_manifest { + let name = archive_name.as_str().try_into()?; + // size is identical to original, encrypted index + new_manifest.lock().unwrap().add_file( + &name, + size, + csum, + CryptMode::None, + )?; + } } sync_stats.add(stats); @@ -621,6 +646,7 @@ async fn pull_snapshot<'a>( return Ok(sync_stats); } + let mut local_manifest_file_fp = None; if manifest_name.exists() && !corrupt { let manifest_blob = proxmox_lang::try_block!({ let mut manifest_file = std::fs::File::open(&manifest_name).map_err(|err| { @@ -641,12 +667,31 @@ async fn pull_snapshot<'a>( info!("no data changes"); let _ = std::fs::remove_file(&tmp_manifest_name); return Ok(sync_stats); // nothing changed + } else { + let manifest = BackupManifest::try_from(manifest_blob)?; + if !params.crypt_configs.is_empty() { + let fp = manifest.change_detection_fingerprint()?; + local_manifest_file_fp = Some(hex::encode(fp)); + } } } - let manifest_data = tmp_manifest_blob.raw_data().to_vec(); + let mut manifest_data = tmp_manifest_blob.raw_data().to_vec(); let manifest = BackupManifest::try_from(tmp_manifest_blob)?; + if let Value::String(fp) = &manifest.unprotected["change-detection-fingerprint"] { + if let Some(local) = &local_manifest_file_fp { + if fp == local { + if !client_log_name.exists() { + reader.try_download_client_log(&client_log_name).await?; + }; + info!("no data changes"); + let _ = std::fs::remove_file(&tmp_manifest_name); + return Ok(sync_stats); + } + } + } + if ignore_not_verified_or_encrypted( &manifest, snapshot.dir(), @@ -663,8 +708,23 @@ async fn pull_snapshot<'a>( return Ok(sync_stats); } - let crypt_config = None; - let new_manifest = None; + let mut crypt_config = None; + let mut new_manifest = None; + if let Ok(Some(source_fingerprint)) = manifest.fingerprint() { + for (key_id, config) in ¶ms.crypt_configs { + if config.fingerprint() == *source_fingerprint.bytes() { + crypt_config = Some(Arc::clone(config)); + new_manifest = Some(Arc::new(Mutex::new(BackupManifest::new(snapshot.into())))); + info!("Found matching key '{key_id}' with fingerprint {source_fingerprint}, decrypt on pull"); + break; + } + } + } + + // pre-existing local manifest for unencrypted snapshot, never overwrite with encrypted + if local_manifest_file_fp.is_some() && crypt_config.is_none() { + bail!("local unencrypted snapshot detected, refuse to sync without source decryption"); + } let backend = ¶ms.target.backend; for item in manifest.files() { @@ -720,6 +780,40 @@ async fn pull_snapshot<'a>( sync_stats.add(stats); } + if let Some(new_manifest) = new_manifest { + let mut new_manifest = Arc::try_unwrap(new_manifest) + .map_err(|_arc| { + format_err!("failed to take ownership of still referenced new manifest") + })? + .into_inner() + .unwrap(); + + // copy over notes ecc, but drop encryption key fingerprint and verify state, to be + // reverified independent from the sync. + new_manifest.unprotected = manifest.unprotected.clone(); + if let Some(unprotected) = new_manifest.unprotected.as_object_mut() { + unprotected.remove("change-detection-fingerprint"); + unprotected.remove("key-fingerprint"); + unprotected.remove("verify_state"); + } else { + bail!("Encountered unexpected manifest without 'unprotected' section."); + } + + let manifest_string = new_manifest.to_string(None)?; + let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?; + // update contents to be uploaded to backend + manifest_data = manifest_blob.raw_data().to_vec(); + + let mut tmp_manifest_file = OpenOptions::new() + .write(true) + .truncate(true) // clear pre-existing manifest content + .open(&tmp_manifest_name) + .await?; + tmp_manifest_file.write_all(&manifest_data).await?; + tmp_manifest_file.flush().await?; + nix::unistd::fsync(tmp_manifest_file.as_raw_fd())?; + } + if let Err(err) = std::fs::rename(&tmp_manifest_name, &manifest_name) { bail!("Atomic rename file {:?} failed - {}", manifest_name, err); } -- 2.47.3