* [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode
@ 2026-04-29 14:09 Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode Fabian Grünbichler
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
enabling this mode will ensure that encrypted snapshots using keys other than
those configured are not synced.
pull in general is currently a bit stricter than push, erroring out as opposed
to skipping - should we align the behaviour?
proxmox:
Fabian Grünbichler (1):
pbs-api-types: sync job: add strict-encryption-mode
pbs-api-types/src/jobs.rs | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
proxmox-backup:
Fabian Grünbichler (5):
pull: add support for strict decryption checking
push: add support for strict encryption checking
sync: wire up strict encryption mode
ui: add strict-encryption-mode to SyncJobEdit window
docs: sync: add strict encryption mode
docs/managing-remotes.rst | 5 +++++
src/api2/config/sync.rs | 30 +++++++++++++++++++++++++++-
src/api2/pull.rs | 11 +++++++++--
src/api2/push.rs | 9 ++++++++-
src/server/pull.rs | 9 +++++++++
src/server/push.rs | 41 ++++++++++++++++++++++++++++++++++-----
src/server/sync.rs | 1 +
www/window/SyncJobEdit.js | 17 ++++++++++++++++
8 files changed, 114 insertions(+), 9 deletions(-)
Summary over all repositories:
9 files changed, 128 insertions(+), 13 deletions(-)
--
Generated by murpp 0.11.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 2/6] pull: add support for strict decryption checking Fabian Grünbichler
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
this field restricts sync scope to not allow transferring encrypted snapshots
using non-matching encryption keys. this can be combined with `encrypted-only`
for pulling to ensure only matching encrypted snapshots are transferred,
excluding any non-encrypted or non-matching encrypted snapshots.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
pbs-api-types/src/jobs.rs | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/pbs-api-types/src/jobs.rs b/pbs-api-types/src/jobs.rs
index ac5dfa92..49eb084c 100644
--- a/pbs-api-types/src/jobs.rs
+++ b/pbs-api-types/src/jobs.rs
@@ -12,10 +12,10 @@ use proxmox_schema::*;
use crate::{
Authid, BackupNamespace, BackupType, NotificationMode, RateLimitConfig, Userid,
- BACKUP_GROUP_SCHEMA, BACKUP_NAMESPACE_SCHEMA, BACKUP_NS_RE, DATASTORE_SCHEMA,
- DRIVE_NAME_SCHEMA, CRYPT_KEY_ID_SCHEMA, MEDIA_POOL_NAME_SCHEMA,
- NS_MAX_DEPTH_REDUCED_SCHEMA, PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX_STR,
- REMOTE_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
+ BACKUP_GROUP_SCHEMA, BACKUP_NAMESPACE_SCHEMA, BACKUP_NS_RE, CRYPT_KEY_ID_SCHEMA,
+ DATASTORE_SCHEMA, DRIVE_NAME_SCHEMA, MEDIA_POOL_NAME_SCHEMA, NS_MAX_DEPTH_REDUCED_SCHEMA,
+ PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_REGEX_STR, REMOTE_ID_SCHEMA,
+ SINGLE_LINE_COMMENT_SCHEMA,
};
const_regex! {
@@ -591,6 +591,10 @@ pub const RUN_SYNC_ON_MOUNT_SCHEMA: Schema =
pub const UNMOUNT_ON_SYNC_DONE_SCHEMA: Schema =
BooleanSchema::new("Unmount involved removable datastore after the sync job finishes. Requires 'run-on-mount' to be enabled.")
.schema();
+pub const SYNC_STRICT_ENCRYPTION_MODE_SCHEMA: Schema = BooleanSchema::new(
+ "Do not allow syncing of pre-existing encrypted snapshots with unknown keys",
+)
+.schema();
#[api(
properties: {
@@ -686,6 +690,10 @@ pub const UNMOUNT_ON_SYNC_DONE_SCHEMA: Schema =
},
optional: true,
},
+ "strict-encryption-mode": {
+ schema: SYNC_STRICT_ENCRYPTION_MODE_SCHEMA,
+ optional: true,
+ }
}
)]
#[derive(Serialize, Deserialize, Clone, Updater, PartialEq)]
@@ -737,6 +745,8 @@ pub struct SyncJobConfig {
pub active_encryption_key: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub associated_key: Option<Vec<String>>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub strict_encryption_mode: Option<bool>,
}
impl SyncJobConfig {
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH proxmox-backup 2/6] pull: add support for strict decryption checking
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 3/6] push: add support for strict encryption checking Fabian Grünbichler
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
if enabled, this mode will refuse to sync encrypted snapshots which cannot be
decrypted. the only exception are encrypted snapshots which have previously
been synced without decryption and are just resynced.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/pull.rs | 2 ++
src/server/pull.rs | 9 +++++++++
2 files changed, 11 insertions(+)
diff --git a/src/api2/pull.rs b/src/api2/pull.rs
index 20b73b2cc..b80bc9a7d 100644
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@@ -93,6 +93,7 @@ impl TryFrom<&SyncJobConfig> for PullParameters {
sync_job.resync_corrupt,
sync_job.worker_threads,
sync_job.associated_key.clone(),
+ None,
)
}
}
@@ -233,6 +234,7 @@ async fn pull(
resync_corrupt,
worker_threads,
decryption_keys,
+ None,
)?;
// fixme: set to_stdout to false?
diff --git a/src/server/pull.rs b/src/server/pull.rs
index 5fa18cefa..fcb14b878 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -77,6 +77,8 @@ pub(crate) struct PullParameters {
worker_threads: Option<usize>,
/// Decryption key ids and configs to decrypt snapshots with matching key fingerprint
crypt_configs: Vec<(String, Arc<CryptConfig>)>,
+ /// Only sync encrypted snapshots if a matching key is configured
+ strict_decryption_mode: bool,
}
impl PullParameters {
@@ -99,6 +101,7 @@ impl PullParameters {
resync_corrupt: Option<bool>,
worker_threads: Option<usize>,
decryption_keys: Option<Vec<String>>,
+ strict_decryption_mode: Option<bool>,
) -> Result<Self, Error> {
if let Some(max_depth) = max_depth {
ns.check_max_depth(max_depth)?;
@@ -108,6 +111,7 @@ impl PullParameters {
let resync_corrupt = resync_corrupt.unwrap_or(false);
let encrypted_only = encrypted_only.unwrap_or(false);
let verified_only = verified_only.unwrap_or(false);
+ let strict_decryption_mode = strict_decryption_mode.unwrap_or(false);
let source: Arc<dyn SyncSource> = if let Some(remote) = remote {
let (remote_config, _digest) = pbs_config::remote::config()?;
@@ -165,6 +169,7 @@ impl PullParameters {
resync_corrupt,
worker_threads,
crypt_configs,
+ strict_decryption_mode,
})
}
}
@@ -980,6 +985,10 @@ async fn optionally_use_decryption_key(
bail!("No matching key found, refusing sync");
}
+ if encrypted && params.strict_decryption_mode {
+ bail!("No matching key found but strict checking requests, refusing to sync");
+ }
+
// regular sync
if !params.crypt_configs.is_empty() {
log_sender
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH proxmox-backup 3/6] push: add support for strict encryption checking
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 2/6] pull: add support for strict decryption checking Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 4/6] sync: wire up strict encryption mode Fabian Grünbichler
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
if enabled, this mode will refuse to sync already encrypted snapshots, unless
they are encrypted using the active encryption key and carry a valid signature.
since pushing now checks the manifest more closely, also log whether synced
pre-encrypted snapshots use a matching key or not if the mode is disabled.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/push.rs | 1 +
src/server/push.rs | 41 ++++++++++++++++++++++++++++++++++++-----
src/server/sync.rs | 1 +
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/src/api2/push.rs b/src/api2/push.rs
index 44629de06..54dc1e4ee 100644
--- a/src/api2/push.rs
+++ b/src/api2/push.rs
@@ -176,6 +176,7 @@ async fn push(
transfer_last,
worker_threads,
encryption_key,
+ None,
)
.await?;
diff --git a/src/server/push.rs b/src/server/push.rs
index dac62c84a..c85654ed1 100644
--- a/src/server/push.rs
+++ b/src/server/push.rs
@@ -97,6 +97,8 @@ pub(crate) struct PushParameters {
/// Encryption key to use for pushing unencrypted backup snapshots. Does not affect
/// already encrypted snapshots.
crypt_config: Option<(String, Arc<CryptConfig>)>,
+ /// Refuse to sync already encrypted snapshots
+ strict_encryption_mode: bool,
}
impl PushParameters {
@@ -118,6 +120,7 @@ impl PushParameters {
transfer_last: Option<usize>,
worker_threads: Option<usize>,
active_encryption_key: Option<String>,
+ strict_encryption_mode: Option<bool>,
) -> Result<Self, Error> {
if let Some(max_depth) = max_depth {
ns.check_max_depth(max_depth)?;
@@ -126,6 +129,7 @@ impl PushParameters {
let remove_vanished = remove_vanished.unwrap_or(false);
let encrypted_only = encrypted_only.unwrap_or(false);
let verified_only = verified_only.unwrap_or(false);
+ let strict_encryption_mode = strict_encryption_mode.unwrap_or(false);
let lookup = crate::tools::lookup_with(store, Operation::Read);
let store = DataStore::lookup_datastore(lookup)?;
@@ -191,6 +195,7 @@ impl PushParameters {
transfer_last,
worker_threads,
crypt_config,
+ strict_encryption_mode,
})
}
@@ -1075,7 +1080,7 @@ pub(crate) async fn push_snapshot(
}
let mut encrypt_using_key = None;
- if params.crypt_config.is_some() {
+ if let Some((id, key)) = params.crypt_config.as_ref() {
// Check if snapshot is fully encrypted or not encrypted at all:
// refuse progress otherwise to upload partially unencrypted contents or mix encryption key.
let files = source_manifest.files();
@@ -1103,10 +1108,36 @@ pub(crate) async fn push_snapshot(
).await?;
return Ok(stats);
} else {
- log_sender.log(
- Level::INFO,
- format!("Snapshot '{snapshot}' already encrypted with client key, not re-encrypting with configured active encryption key"),
- ).await?;
+ let correct_key = source_manifest
+ .fingerprint()
+ .ok()
+ .flatten()
+ .map(|fp| *fp.bytes())
+ == Some(key.fingerprint());
+ if correct_key && source_manifest.check_signature(&key).is_err() {
+ log_sender.log(
+ Level::WARN,
+ format!("Snapshot '{snapshot}' already encrypted with matching key {id}, but signature check failed"),
+ ).await?;
+ return Ok(stats);
+ }
+ if correct_key {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with matching key {id}, syncing as-is"),
+ ).await?;
+ } else if params.strict_encryption_mode {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with different key, strict encryption mode enabled, skip"),
+ ).await?;
+ return Ok(stats);
+ } else {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with different key, not re-encrypting with configured active encryption key"),
+ ).await?;
+ }
}
}
diff --git a/src/server/sync.rs b/src/server/sync.rs
index f7d96811e..590ad01eb 100644
--- a/src/server/sync.rs
+++ b/src/server/sync.rs
@@ -733,6 +733,7 @@ pub fn do_sync_job(
sync_job.transfer_last,
sync_job.worker_threads,
sync_job.active_encryption_key,
+ None,
)
.await?;
push_store(push_params).await?
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH proxmox-backup 4/6] sync: wire up strict encryption mode
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
` (2 preceding siblings ...)
2026-04-29 14:09 ` [PATCH proxmox-backup 3/6] push: add support for strict encryption checking Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 5/6] ui: add strict-encryption-mode to SyncJobEdit window Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 6/6] docs: sync: add strict encryption mode Fabian Grünbichler
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
enabling it requires configured encryption/decryption keys, disabling or
unsetting it does not.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/config/sync.rs | 30 +++++++++++++++++++++++++++++-
src/api2/pull.rs | 13 +++++++++----
src/api2/push.rs | 10 ++++++++--
src/server/sync.rs | 2 +-
4 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index eb82745d9..ac1e6350e 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -276,9 +276,16 @@ pub fn create_sync_job(
.unwrap_or_else(|| Authid::root_auth_id());
if sync_direction == SyncDirection::Push {
+ if (config.strict_encryption_mode == Some(true)) != config.active_encryption_key.is_some() {
+ bail!("'strict-encryption-mode' requires encryption key");
+ }
sync_user_can_access_optional_key(config.active_encryption_key.as_deref(), owner, true)?;
} else {
- for key in config.associated_key.as_deref().unwrap_or(&[]) {
+ let keys = config.associated_key.as_deref().unwrap_or(&[]);
+ if (config.strict_encryption_mode == Some(true)) == keys.is_empty() {
+ bail!("'strict-encryption-mode' requires encryption key(s)");
+ }
+ for key in keys {
sync_user_can_access_optional_key(Some(key), owner, false)?;
}
}
@@ -398,6 +405,8 @@ pub enum DeletableProperty {
ActiveEncryptionKey,
/// Delete associated key property,
AssociatedKey,
+ /// Delete strict encryption_mode property,
+ StrictEncryptionMode,
}
#[api(
@@ -538,6 +547,9 @@ pub fn update_sync_job(
// Previous active encryption key might be added as associated below.
data.associated_key = None;
}
+ DeletableProperty::StrictEncryptionMode => {
+ data.strict_encryption_mode = None;
+ }
}
}
keep_previous_key_as_associated(
@@ -654,6 +666,21 @@ pub fn update_sync_job(
data.associated_key = Some(associated_key);
}
+ if let Some(strict_encryption_mode) = update.strict_encryption_mode {
+ data.strict_encryption_mode = Some(strict_encryption_mode);
+ }
+
+ if data.sync_direction == Some(SyncDirection::Push) {
+ if (data.strict_encryption_mode == Some(true)) != data.active_encryption_key.is_some() {
+ bail!("'strict-encryption-mode' requires encryption key");
+ }
+ } else {
+ let keys = data.associated_key.as_deref().unwrap_or(&[]);
+ if (data.strict_encryption_mode == Some(true)) == keys.is_empty() {
+ bail!("'strict-encryption-mode' requires encryption key(s)");
+ }
+ }
+
if update.limit.rate_in.is_some() {
data.limit.rate_in = update.limit.rate_in;
}
@@ -829,6 +856,7 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
worker_threads: None,
active_encryption_key: None,
associated_key: None,
+ strict_encryption_mode: None,
};
// should work without ACLs
diff --git a/src/api2/pull.rs b/src/api2/pull.rs
index b80bc9a7d..2d91fbc44 100644
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@@ -10,8 +10,8 @@ use pbs_api_types::{
Authid, BackupNamespace, GroupFilter, RateLimitConfig, SyncJobConfig, CRYPT_KEY_ID_SCHEMA,
DATASTORE_SCHEMA, GROUP_FILTER_LIST_SCHEMA, NS_MAX_DEPTH_REDUCED_SCHEMA, PRIV_DATASTORE_BACKUP,
PRIV_DATASTORE_PRUNE, PRIV_REMOTE_READ, REMOTE_ID_SCHEMA, REMOVE_VANISHED_BACKUPS_SCHEMA,
- RESYNC_CORRUPT_SCHEMA, SYNC_ENCRYPTED_ONLY_SCHEMA, SYNC_VERIFIED_ONLY_SCHEMA,
- SYNC_WORKER_THREADS_SCHEMA, TRANSFER_LAST_SCHEMA,
+ RESYNC_CORRUPT_SCHEMA, SYNC_ENCRYPTED_ONLY_SCHEMA, SYNC_STRICT_ENCRYPTION_MODE_SCHEMA,
+ SYNC_VERIFIED_ONLY_SCHEMA, SYNC_WORKER_THREADS_SCHEMA, TRANSFER_LAST_SCHEMA,
};
use pbs_config::CachedUserInfo;
use proxmox_rest_server::WorkerTask;
@@ -93,7 +93,7 @@ impl TryFrom<&SyncJobConfig> for PullParameters {
sync_job.resync_corrupt,
sync_job.worker_threads,
sync_job.associated_key.clone(),
- None,
+ sync_job.strict_encryption_mode,
)
}
}
@@ -163,6 +163,10 @@ impl TryFrom<&SyncJobConfig> for PullParameters {
},
optional: true,
},
+ "strict-decryption-mode": {
+ schema: SYNC_STRICT_ENCRYPTION_MODE_SCHEMA,
+ optional: true,
+ }
},
},
access: {
@@ -192,6 +196,7 @@ async fn pull(
resync_corrupt: Option<bool>,
worker_threads: Option<usize>,
decryption_keys: Option<Vec<String>>,
+ strict_decryption_mode: Option<bool>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
@@ -234,7 +239,7 @@ async fn pull(
resync_corrupt,
worker_threads,
decryption_keys,
- None,
+ strict_decryption_mode,
)?;
// fixme: set to_stdout to false?
diff --git a/src/api2/push.rs b/src/api2/push.rs
index 54dc1e4ee..2ec467161 100644
--- a/src/api2/push.rs
+++ b/src/api2/push.rs
@@ -6,7 +6,8 @@ use pbs_api_types::{
GROUP_FILTER_LIST_SCHEMA, NS_MAX_DEPTH_REDUCED_SCHEMA, PRIV_DATASTORE_BACKUP,
PRIV_DATASTORE_READ, PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_PRUNE,
REMOTE_ID_SCHEMA, REMOVE_VANISHED_BACKUPS_SCHEMA, SYNC_ENCRYPTED_ONLY_SCHEMA,
- SYNC_VERIFIED_ONLY_SCHEMA, SYNC_WORKER_THREADS_SCHEMA, TRANSFER_LAST_SCHEMA,
+ SYNC_STRICT_ENCRYPTION_MODE_SCHEMA, SYNC_VERIFIED_ONLY_SCHEMA, SYNC_WORKER_THREADS_SCHEMA,
+ TRANSFER_LAST_SCHEMA,
};
use proxmox_rest_server::WorkerTask;
use proxmox_router::{Permission, Router, RpcEnvironment};
@@ -116,6 +117,10 @@ fn check_push_privs(
schema: CRYPT_KEY_ID_SCHEMA,
optional: true,
},
+ "strict-encryption-mode": {
+ schema: SYNC_STRICT_ENCRYPTION_MODE_SCHEMA,
+ optional: true,
+ }
},
},
access: {
@@ -143,6 +148,7 @@ async fn push(
transfer_last: Option<usize>,
worker_threads: Option<usize>,
encryption_key: Option<String>,
+ strict_encryption_mode: Option<bool>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
@@ -176,7 +182,7 @@ async fn push(
transfer_last,
worker_threads,
encryption_key,
- None,
+ strict_encryption_mode,
)
.await?;
diff --git a/src/server/sync.rs b/src/server/sync.rs
index 590ad01eb..c78213c7f 100644
--- a/src/server/sync.rs
+++ b/src/server/sync.rs
@@ -733,7 +733,7 @@ pub fn do_sync_job(
sync_job.transfer_last,
sync_job.worker_threads,
sync_job.active_encryption_key,
- None,
+ sync_job.strict_encryption_mode,
)
.await?;
push_store(push_params).await?
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH proxmox-backup 5/6] ui: add strict-encryption-mode to SyncJobEdit window
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
` (3 preceding siblings ...)
2026-04-29 14:09 ` [PATCH proxmox-backup 4/6] sync: wire up strict encryption mode Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 6/6] docs: sync: add strict encryption mode Fabian Grünbichler
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
www/window/SyncJobEdit.js | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/www/window/SyncJobEdit.js b/www/window/SyncJobEdit.js
index 216653d17..013a16507 100644
--- a/www/window/SyncJobEdit.js
+++ b/www/window/SyncJobEdit.js
@@ -40,6 +40,7 @@ Ext.define('PBS.window.SyncJobEdit', {
me.syncRemoteNamespace = gettext('Target Namespace');
me.syncLocalOwner = gettext('Local User');
me.associatedKeysLabel = gettext('Associated Keys');
+ me.syncStrictEncryptionModeLabel = gettext("Strict Encryption Mode");
// Sync direction request parameter is only required for creating new jobs,
// for edit and delete it is derived from the job config given by it's id.
if (me.isCreate) {
@@ -55,6 +56,7 @@ Ext.define('PBS.window.SyncJobEdit', {
me.syncRemoteNamespace = gettext('Source Namespace');
me.syncLocalOwner = gettext('Local Owner');
me.associatedKeysLabel = gettext('Decryption Keys');
+ me.syncStrictEncryptionModeLabel = gettext("Strict Decryption Mode");
}
return {};
@@ -601,6 +603,21 @@ Ext.define('PBS.window.SyncJobEdit', {
'include-archived': true,
},
},
+ {
+ xtype: 'proxmoxcheckbox',
+ name: 'strict-encryption-mode',
+ cbind: {
+ fieldLabel: '{syncStrictEncryptionModeLabel}',
+ },
+ autoEl: {
+ tag: 'div',
+ 'data-qtip': gettext(
+ 'Enable strict mode for encryption/decryption.',
+ ),
+ },
+ uncheckedValue: false,
+ value: false,
+ },
],
columnB: [
{
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH proxmox-backup 6/6] docs: sync: add strict encryption mode
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
` (4 preceding siblings ...)
2026-04-29 14:09 ` [PATCH proxmox-backup 5/6] ui: add strict-encryption-mode to SyncJobEdit window Fabian Grünbichler
@ 2026-04-29 14:09 ` Fabian Grünbichler
5 siblings, 0 replies; 7+ messages in thread
From: Fabian Grünbichler @ 2026-04-29 14:09 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
docs/managing-remotes.rst | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/docs/managing-remotes.rst b/docs/managing-remotes.rst
index f1e0ffaa8..38cf27b98 100644
--- a/docs/managing-remotes.rst
+++ b/docs/managing-remotes.rst
@@ -365,3 +365,8 @@ associated keys for the sync job.
.. code-block:: console
# proxmox-backup-manager sync-job update pbs2-push --active-encryption-key key1 --associated-key key2 --associated-key key3
+
+It is possible to enable strict mode for encrypted push/decrypting pull, which
+will forbid syncing of encrypted snapshots which are encrypted with keys other
+than those configured. If not enabled, such snapshots will be synced as-is,
+without decryption (pull) or re-encryption (push).
--
2.47.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-04-29 14:10 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 2/6] pull: add support for strict decryption checking Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 3/6] push: add support for strict encryption checking Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 4/6] sync: wire up strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 5/6] ui: add strict-encryption-mode to SyncJobEdit window Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 6/6] docs: sync: add strict encryption mode Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.