From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2C2481FF13E for ; Fri, 03 Apr 2026 10:49:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 80FBD16A; Fri, 3 Apr 2026 10:50:12 +0200 (CEST) Message-ID: Date: Fri, 3 Apr 2026 10:50:04 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs To: Dominik Csapak , pbs-devel@lists.proxmox.com References: <20260401075521.176354-1-c.ebner@proxmox.com> <9cee8a5c-993d-4b27-9bcb-16df67a63a76@proxmox.com> Content-Language: en-US, de-DE From: Christian Ebner In-Reply-To: <9cee8a5c-993d-4b27-9bcb-16df67a63a76@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775206144954 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.068 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: KUKKTDCGBMT7K4WKBG5NTXWTWYLRK3LN X-Message-ID-Hash: KUKKTDCGBMT7K4WKBG5NTXWTWYLRK3LN X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 4/3/26 10:38 AM, Dominik Csapak wrote: > high level question before i dive deeper into the ui part: > > do the encryption keys have any overlap with tape encryption keys? > > we already have a ui for that there. maybe we could unify that? Not really matching the encryption key handling for the tape, no. We did not want to allow for password protected encryption keys (discussed of list with Fabian) and therefore I opted to follow more along the line of what we do for PVE, at least with respect to the UI. > Personally it's not a blocker for me, but we should think > of merging them in the long run. I think it would be better > to only have one place to create/manage encryption keys (per product) The encryption keys for tapes are already strongly intertwined with the code there, I did not feel confident to move keys and configs there. Rather I would have this as possible breaking change for PBS 5.0, where we could possibly merge config. Also, it was discussed to have some better mechanism for secret handling in the future (e.g. for the password protected keys). > If it's technically not compatible/viable to merge these in the backend, > we could still write the gui in a way to only have one place but > manage two types of keys (with different api paths, etc.) The key handling there is slightly different though, so not sure if this will be compatible. > sorry if that is already answered in one of your patches,but > just saw the encryption key gui before going in and wanted to write > that out. > > On 4/1/26 9:55 AM, Christian Ebner wrote: >> This patch series implements support for encrypting backup snapshots >> when pushing from a source PBS instance to an untrusted remote target >> PBS instance. Further, it adds support to decrypt snapshots being >> encrypted on the remote source PBS when pulling the contents to the >> local target PBS instance. This allows to perform full server side >> encryption/decryption when syncing with a less trusted remote PBS. >> >> In order to encrypt/decrypt snapshots, a new encryption key entity >> is introduced, to be created as global instance on the PBS, placed and >> managed by it's own dedicated config. Keys with secret are stored >> in dedicated files so they only need to be loaded when accessing the >> key, not for listing of configuration. >> >> The sync jobs in push and pull direction are extended to receive an >> additional encryption key parameter, allowing the given key to be >> used for encryption/decription of snapshots, depending on the sync >> direction. In order to encrypt/decrypt the contents, chunks, index >> files, blobs and manifest are additionally processed, rewritten when >> required. >> >> Link to the bugtracker issue: >> https://bugzilla.proxmox.com/show_bug.cgi?id=7251 >> >> >> proxmox: >> >> Christian Ebner (2): >>    pbs-api-types: define encryption key type and schema >>    pbs-api-types: sync job: add optional encryption key to config >> >>   pbs-api-types/src/jobs.rs           | 11 ++++++++-- >>   pbs-api-types/src/key_derivation.rs | 34 ++++++++++++++++++++++++++--- >>   pbs-api-types/src/lib.rs            |  2 +- >>   3 files changed, 41 insertions(+), 6 deletions(-) >> >> >> proxmox-backup: >> >> Christian Ebner (18): >>    pbs-key-config: introduce store_with() for KeyConfig >>    pbs-config: implement encryption key config handling >>    pbs-config: acls: add 'encryption-keys' as valid 'system' subpath >>    ui: expose 'encryption-keys' as acl subpath for 'system' >>    api: config: add endpoints for encryption key manipulation >>    api: config: allow encryption key manipulation for sync job >>    sync: push: rewrite manifest instead of pushing pre-existing one >>    sync: add helper to check encryption key acls and load key >>    fix #7251: api: push: encrypt snapshots using configured encryption >>      key >>    ui: define and expose encryption key management menu item and windows >>    ui: expose assigning encryption key to sync jobs >>    sync: pull: load encryption key if given in job config >>    sync: expand source chunk reader trait by crypt config >>    sync: pull: introduce and use decrypt index writer if crypt config >>    sync: pull: extend encountered chunk by optional decrypted digest >>    sync: pull: decrypt blob files on pull if encryption key is configured >>    sync: pull: decrypt chunks and rewrite index file for matching key >>    sync: pull: decrypt snapshots with matching encryption key fingerprint >> >>   pbs-config/Cargo.toml              |   1 + >>   pbs-config/src/acl.rs              |   4 +- >>   pbs-config/src/encryption_keys.rs  | 159 +++++++++++ >>   pbs-config/src/lib.rs              |   1 + >>   pbs-key-config/src/lib.rs          |  36 ++- >>   src/api2/config/encryption_keys.rs | 115 ++++++++ >>   src/api2/config/mod.rs             |   2 + >>   src/api2/config/sync.rs            |  10 + >>   src/api2/pull.rs                   |  15 +- >>   src/api2/push.rs                   |  14 +- >>   src/server/pull.rs                 | 416 ++++++++++++++++++++++++----- >>   src/server/push.rs                 | 222 +++++++++++---- >>   src/server/sync.rs                 |  57 +++- >>   www/Makefile                       |   3 + >>   www/NavigationTree.js              |   6 + >>   www/Utils.js                       |   1 + >>   www/config/EncryptionKeysView.js   | 143 ++++++++++ >>   www/form/EncryptionKeySelector.js  |  59 ++++ >>   www/form/PermissionPathSelector.js |   1 + >>   www/window/EncryptionKeysEdit.js   | 382 ++++++++++++++++++++++++++ >>   www/window/SyncJobEdit.js          |  11 + >>   21 files changed, 1512 insertions(+), 146 deletions(-) >>   create mode 100644 pbs-config/src/encryption_keys.rs >>   create mode 100644 src/api2/config/encryption_keys.rs >>   create mode 100644 www/config/EncryptionKeysView.js >>   create mode 100644 www/form/EncryptionKeySelector.js >>   create mode 100644 www/window/EncryptionKeysEdit.js >> >> >> Summary over all repositories: >>    24 files changed, 1553 insertions(+), 152 deletions(-) >> >