From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 8BB081FF140 for ; Fri, 10 Apr 2026 18:55:26 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B3DA623FE3; Fri, 10 Apr 2026 18:55:51 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v2 12/27] api: config: allow encryption key manipulation for sync job Date: Fri, 10 Apr 2026 18:54:39 +0200 Message-ID: <20260410165454.1578501-13-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260410165454.1578501-1-c.ebner@proxmox.com> References: <20260410165454.1578501-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775840038133 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: QIG3FX5JDIXF3DCHZYMBNAX5ARU4AACW X-Message-ID-Hash: QIG3FX5JDIXF3DCHZYMBNAX5ARU4AACW X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Since the SyncJobConfig got extended to include an optional active encryption key, set the default to none. Extend the api config update handler to also set, update or delete the active encryption key based on the provided parameters. Associated keys will also be updated accordingly, however it is assured that the previously active key will remain associated, if changed. They encryption key will be used to encrypt unencrypted backup snapshots during push sync. Any of the associated keys will be used to decrypt snapshots with matching key fingerprint during pull sync. Signed-off-by: Christian Ebner --- src/api2/config/sync.rs | 55 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs index 51be7e208..3b92958c6 100644 --- a/src/api2/config/sync.rs +++ b/src/api2/config/sync.rs @@ -324,6 +324,22 @@ pub fn read_sync_job(id: String, rpcenv: &mut dyn RpcEnvironment) -> Result>, +) { + if let Some(prev) = ¤t.active_encryption_key { + match associated_keys { + Some(ref mut keys) => { + if !keys.contains(prev) { + keys.push(prev.clone()); + } + } + None => *associated_keys = Some(vec![prev.clone()]), + } + } +} + #[api()] #[derive(Serialize, Deserialize)] #[serde(rename_all = "kebab-case")] @@ -367,6 +383,10 @@ pub enum DeletableProperty { UnmountOnDone, /// Delete the sync_direction property, SyncDirection, + /// Delete the active encryption key property, + ActiveEncryptionKey, + /// Delete associated key property, + AssociatedKey, } #[api( @@ -408,7 +428,7 @@ required sync job owned by user. Additionally, remove vanished requires RemoteDa #[allow(clippy::too_many_arguments)] pub fn update_sync_job( id: String, - update: SyncJobConfigUpdater, + mut update: SyncJobConfigUpdater, delete: Option>, digest: Option, rpcenv: &mut dyn RpcEnvironment, @@ -431,6 +451,7 @@ pub fn update_sync_job( } if let Some(delete) = delete { + let mut allow_remove_associated = true; for delete_prop in delete { match delete_prop { DeletableProperty::Remote => { @@ -490,6 +511,16 @@ pub fn update_sync_job( DeletableProperty::SyncDirection => { data.sync_direction = None; } + DeletableProperty::ActiveEncryptionKey => { + allow_remove_associated = data.active_encryption_key.is_none(); + keep_previous_key_as_associated(&data, &mut update.associated_key); + data.active_encryption_key = None; + } + DeletableProperty::AssociatedKey => { + if allow_remove_associated { + data.associated_key = None; + } + } } } } @@ -518,8 +549,8 @@ pub fn update_sync_job( if let Some(remote_ns) = update.remote_ns { data.remote_ns = Some(remote_ns); } - if let Some(owner) = update.owner { - data.owner = Some(owner); + if let Some(owner) = &update.owner { + data.owner = Some(owner.clone()); } if let Some(group_filter) = update.group_filter { data.group_filter = Some(group_filter); @@ -549,6 +580,22 @@ pub fn update_sync_job( data.sync_direction = Some(sync_direction); } + if let Some(active_encryption_key) = update.active_encryption_key { + let owner = update.owner.as_ref().unwrap_or_else(|| { + data.owner + .as_ref() + .unwrap_or_else(|| Authid::root_auth_id()) + }); + sync_user_can_access_optional_key(Some(&active_encryption_key), owner)?; + + keep_previous_key_as_associated(&data, &mut update.associated_key); + data.active_encryption_key = Some(active_encryption_key); + } + + if let Some(associated_key) = update.associated_key { + data.associated_key = Some(associated_key); + } + if update.limit.rate_in.is_some() { data.limit.rate_in = update.limit.rate_in; } @@ -721,6 +768,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator run_on_mount: None, unmount_on_done: None, sync_direction: None, // use default + active_encryption_key: None, + associated_key: None, }; // should work without ACLs -- 2.47.3