From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <f.ebner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 353237B531
for <pve-devel@lists.proxmox.com>; Wed, 12 May 2021 11:55:31 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 2BEE5B975
for <pve-devel@lists.proxmox.com>; Wed, 12 May 2021 11:55:01 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS id 28D30B96A
for <pve-devel@lists.proxmox.com>; Wed, 12 May 2021 11:55:00 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0963C4654F
for <pve-devel@lists.proxmox.com>; Wed, 12 May 2021 11:55:00 +0200 (CEST)
To: pve-devel@lists.proxmox.com,
=?UTF-8?Q?Fabian_Gr=c3=bcnbichler?= <f.gruenbichler@proxmox.com>
References: <20210208130835.2512356-1-f.gruenbichler@proxmox.com>
From: Fabian Ebner <f.ebner@proxmox.com>
Message-ID: <d1ba76c3-5ef1-8a1e-769c-a3dd29ee2f2c@proxmox.com>
Date: Wed, 12 May 2021 11:54:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <20210208130835.2512356-1-f.gruenbichler@proxmox.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.003 Adjusted score from AWL reputation of From: address
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
NICE_REPLY_A -0.001 Looks like a legit reply (A)
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH-SERIES 0/4] PBS master key integration
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 09:55:31 -0000
Am 08.02.21 um 14:08 schrieb Fabian Grünbichler:
> this series enables master key integration for PVE->PBS, by allowing the
> configuration of a per-storage master key which is used for (encrypted)
> VM and CT backups.
>
> while the diffs are small, the following bumps/dependencies/.. are required:
>
> proxmox-backup needs a bump (commits from other series)
> pve-storage needs a bump + a versioned-dep on proxmox-backup-client (new
> CLI parameters)
> qemu-server needs a versioned-dependency on bumped pve-storage (new
> storage plugin methods)
>
> qemu needs a bump + a versioned-dependency (build + RT) on
> libproxmox-backup-qemu (API change)
> libproxmox-backup-qemu needs a bump + breaks on pre-bump qemu (API
> change)
>
> it might make sense to queue the libproxmox-backup-qemu and
> proxmox-backup bumps together (the former directly references git of the
> latter at the moment, instead of a tag).
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
Tried out the series and works as advertised. Test log with a few nits
(one of them not even about this series, but the PBS docs):
For the storage parameter in the man page:
--master-pubkey a file containing a PEM-formatted master public key
Base64-encoded, PEM-formatted public RSA key. Used tp encrypt a
copy of the encryption-key which will be added to each encrypted backup.
The description might be confusing, as one might wrongly think the file
has to be base64 encoded. Also, there's a typo: "Used tp encrypt".
Tested storage adding/update/removal with master-pubkey. The update hook
does not check if there's an encryption key, but the add hook does.
Maybe we can also check that the file's contents are actually a PEM
public key?
Tested backup+restore of a VM, with
1) downgraded pve-qemu-kvm=5.1.0-8 libproxmox-backup-qemu0=1.0.2-1
2) storage with master-pubkey but no encryption key
Warnings show up in the log and master key is not used as expected.
Tested backup+restore of a VM and a CT with correctly configured
storage, also worked as expected.
Removed the encryption key on the storage, restore fails.
Restored the key from the backup with a master key as described in the
PBS docs. Well, except for using '--kdf none' in the command below, so I
could actually upload the keyfile to the storage again without running
into an "Error: no password input mechanism available". From the PBS docs:
6. Then, use the previously generated master key to decrypt the file:
# proxmox-backup-client key import-with-master-key /path/to/target
--master-keyfile /path/to/master-private.pem --encrypted-keyfile
/path/to/rsa-encrypted.key
7. The target file will now contain the encryption key information in
plain text. The success of this can be confirmed by passing the
resulting json file, with the --keyfile parameter, when decrypting files
from the backup.
Maybe we should mention something about the kdf, as the "file will now
contain the encryption key information in plain text" is a bit
misleading. Technically true, the information about the key is in plain
text, but not the key itself ;)
Now, restoring worked again. Also recovered the key from the CT backup
and checked that it matched.