From: Markus Frank <m.frank@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] fix #3854 paperkey import to proxmox-tape
Date: Tue, 8 Feb 2022 12:51:19 +0100 [thread overview]
Message-ID: <20220208115119.74931-1-m.frank@proxmox.com> (raw)
added a parameter to the cli for reading a old paperkeyfile to restore
the key from it. For that i added a json parameter for the api and made
hint optional because hint is already in the proxmox-backupkey-json.
functionality:
proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup
proxmox-tape key create --paperkeyfile paperkey.backup
for importing the key it is irrelevant, if the paperkey got exported as html
or txt.
Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
src/api2/config/tape_encryption_keys.rs | 41 +++++++++++++++++++------
src/bin/proxmox_tape/encryption_key.rs | 28 +++++++++++++++++
2 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs
index 1ad99377..23de4acc 100644
--- a/src/api2/config/tape_encryption_keys.rs
+++ b/src/api2/config/tape_encryption_keys.rs
@@ -145,6 +145,12 @@ pub fn change_passphrase(
},
hint: {
schema: PASSWORD_HINT_SCHEMA,
+ optional: true,
+ },
+ backupkey: {
+ description: "json parameter for importing old backupkey",
+ type: String,
+ optional: true,
},
},
},
@@ -159,7 +165,8 @@ pub fn change_passphrase(
pub fn create_key(
kdf: Option<Kdf>,
password: String,
- hint: String,
+ hint: Option<String>,
+ backupkey: Option<String>,
_rpcenv: &mut dyn RpcEnvironment
) -> Result<Fingerprint, Error> {
@@ -169,14 +176,30 @@ pub fn create_key(
bail!("Please specify a key derivation function (none is not allowed here).");
}
- let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?;
- key_config.hint = Some(hint);
-
- let fingerprint = key_config.fingerprint.clone().unwrap();
-
- insert_key(key, key_config, false)?;
-
- Ok(fingerprint)
+ if let Some(ref backupkey) = backupkey {
+ match serde_json::from_str::<KeyConfig>(backupkey) {
+ Ok(key_config) => {
+ let password_fn = || { Ok(password.as_bytes().to_vec()) };
+ let (key, _created, fingerprint) = key_config.decrypt(&password_fn)?;
+ insert_key(key, key_config, false)?;
+ Ok(fingerprint)
+ }
+ Err(err) => {
+ eprintln!("Couldn't parse data as KeyConfig - {}", err);
+ bail!("Neither a PEM-formatted private key, nor a PBS key file.");
+ }
+ }
+ } else {
+ if hint.is_none() {
+ bail!("Please specify either a hint or a backupkey.");
+ } else {
+ let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?;
+ key_config.hint = hint;
+ let fingerprint = key_config.fingerprint.clone().unwrap();
+ insert_key(key, key_config, false)?;
+ Ok(fingerprint)
+ }
+ }
}
diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs
index 156295fd..1863c9bc 100644
--- a/src/bin/proxmox_tape/encryption_key.rs
+++ b/src/bin/proxmox_tape/encryption_key.rs
@@ -15,6 +15,8 @@ use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint
use proxmox_backup::api2;
+use std::fs;
+
pub fn encryption_key_commands() -> CommandLineInterface {
let cmd_def = CliCommandMap::new()
@@ -222,6 +224,12 @@ async fn restore_key(
type: String,
min_length: 1,
max_length: 32,
+ optional: true,
+ },
+ paperkeyfile: {
+ description: "Paperkeyfile location for importing old backupkey",
+ type: String,
+ optional: true,
},
},
},
@@ -230,12 +238,32 @@ async fn restore_key(
fn create_key(
mut param: Value,
rpcenv: &mut dyn RpcEnvironment,
+ paperkeyfile: Option<String>,
) -> Result<(), Error> {
if !tty::stdin_isatty() {
bail!("no password input mechanism available");
}
+ if param["hint"].is_null() && paperkeyfile.is_none(){
+ bail!("Please specify either a hint or a paperkeyfile.");
+ }
+
+ // searching for PROXMOX BACKUP KEY if a paperkeyfile is defined
+ if let Some(paperkeyfile) = paperkeyfile {
+ let data = fs::read_to_string(paperkeyfile)?;
+ let begin = "-----BEGIN PROXMOX BACKUP KEY-----";
+ let start = data.find(begin);
+ let end = data.find("-----END PROXMOX BACKUP KEY-----");
+ if let Some(start) = start {
+ if let Some(end) = end {
+ let backupkey = &data[start+begin.len()..end];
+ param["backupkey"]=backupkey.into();
+ println!("backupkey to import: {}", backupkey);
+ }
+ }
+ }
+
let password = tty::read_and_verify_password("Tape Encryption Key Password: ")?;
param["password"] = String::from_utf8(password)?.into();
--
2.30.2
next reply other threads:[~2022-02-08 11:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 11:51 Markus Frank [this message]
2022-02-09 13:21 ` Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220208115119.74931-1-m.frank@proxmox.com \
--to=m.frank@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox