From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 575AF1FF13A for ; Wed, 15 Apr 2026 16:49:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2787A1835F; Wed, 15 Apr 2026 16:49:38 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 15 Apr 2026 16:49:04 +0200 Message-Id: Subject: Re: [PATCH proxmox-backup v3 19/30] fix #7251: api: push: encrypt snapshots using configured encryption key From: =?utf-8?q?Michael_K=C3=B6ppl?= To: "Christian Ebner" , X-Mailer: aerc 0.21.0 References: <20260414125923.892345-1-c.ebner@proxmox.com> <20260414125923.892345-20-c.ebner@proxmox.com> In-Reply-To: <20260414125923.892345-20-c.ebner@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776264466924 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.101 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: UVOCTFYA25TWLZTGNMPJJGT6MACDPNBK X-Message-ID-Hash: UVOCTFYA25TWLZTGNMPJJGT6MACDPNBK X-MailFrom: m.koeppl@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue Apr 14, 2026 at 2:59 PM CEST, Christian Ebner wrote: [snip] > let mut encrypt_using_key =3D None; > + if params.crypt_config.is_some() { > + // Check if snapshot is fully encrypted or not encrypted at all: > + // refuse progress otherwise to upload partially unencrypted con= tents or mix encryption key. > + let files =3D source_manifest.files(); > + let all_unencrypted =3D files > + .iter() > + .all(|f| f.chunk_crypt_mode() =3D=3D CryptMode::None); > + let any_unencrypted =3D files > + .iter() > + .any(|f| f.chunk_crypt_mode() =3D=3D CryptMode::None); > + > + if all_unencrypted { > + encrypt_using_key =3D params.crypt_config.clone(); > + info!("Encrypt and push unencrypted snapshot '{snapshot}'"); nit: Might just be me, but to me this reads like it would encrypt the snapshot and then just push the unencrypted one. Perhaps something like "Encrypt and push previously unencrypted snapshot"? > + } else if any_unencrypted { > + warn!("Encountered partially encrypted snapshot '{snapshot}'= , refuse to re-encrypt and skip"); > + return Ok(stats); > + } else { > + info!("Pushing already encrypted snapshot '{snapshot}' witho= ut re-encryption"); > + } > + } [snip]