From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 1/3] paperkey: allow RSA keys without passphrase
Date: Mon, 1 Feb 2021 14:06:16 +0100 [thread overview]
Message-ID: <20210201130618.800923-1-f.gruenbichler@proxmox.com> (raw)
some users might want to store the plain version of their master key for
long-term storage and rely on physical security instead of a passphrase
to protect the paper key.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
our tooling does not create passphrase-less master keys, so this needs a
conscious step by the user to remove the set passphrase anyway..
src/tools/paperkey.rs | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/tools/paperkey.rs b/src/tools/paperkey.rs
index 030275cc..859e8aed 100644
--- a/src/tools/paperkey.rs
+++ b/src/tools/paperkey.rs
@@ -30,8 +30,16 @@ pub fn generate_paper_key<W: Write>(
subject: Option<String>,
output_format: Option<PaperkeyFormat>,
) -> Result<(), Error> {
+ let (data, is_master_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n")
+ || data.starts_with("-----BEGIN RSA PRIVATE KEY-----\n")
+ {
+ let data = data.trim_end();
+ if !(data.ends_with("\n-----END ENCRYPTED PRIVATE KEY-----")
+ || data.ends_with("\n-----END RSA PRIVATE KEY-----"))
+ {
+ bail!("unexpected key format");
+ }
- let (data, is_private_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") {
let lines: Vec<String> = data
.lines()
.map(|s| s.trim_end())
@@ -39,10 +47,6 @@ pub fn generate_paper_key<W: Write>(
.map(String::from)
.collect();
- if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") {
- bail!("unexpected key format");
- }
-
if lines.len() < 20 {
bail!("unexpected key format");
}
@@ -68,8 +72,8 @@ pub fn generate_paper_key<W: Write>(
let format = output_format.unwrap_or(PaperkeyFormat::Html);
match format {
- PaperkeyFormat::Html => paperkey_html(output, &data, subject, is_private_key),
- PaperkeyFormat::Text => paperkey_text(output, &data, subject, is_private_key),
+ PaperkeyFormat::Html => paperkey_html(output, &data, subject, is_master_key),
+ PaperkeyFormat::Text => paperkey_text(output, &data, subject, is_master_key),
}
}
@@ -77,7 +81,7 @@ fn paperkey_html<W: Write>(
mut output: W,
lines: &[String],
subject: Option<String>,
- is_private: bool,
+ is_master: bool,
) -> Result<(), Error> {
let img_size_pt = 500;
@@ -107,7 +111,7 @@ fn paperkey_html<W: Write>(
writeln!(output, "<p>Subject: {}</p>", subject)?;
}
- if is_private {
+ if is_master {
const BLOCK_SIZE: usize = 20;
let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE;
--
2.20.1
next reply other threads:[~2021-02-01 13:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 13:06 Fabian Grünbichler [this message]
2021-02-01 13:06 ` [pbs-devel] [PATCH proxmox-backup 2/3] paperkey: simplify block generation Fabian Grünbichler
2021-02-01 13:06 ` [pbs-devel] [PATCH proxmox-backup 3/3] paperkey: rustfmt Fabian Grünbichler
2021-02-01 16:05 ` [pbs-devel] applied: [PATCH proxmox-backup 1/3] paperkey: allow RSA keys without passphrase Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210201130618.800923-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox