From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: c.ebner@proxmox.com
Cc: pbs-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox-backup v2 27/27] sync: pull: decrypt snapshots with matching encryption key fingerprint
Date: Sat, 11 Apr 2026 10:02:15 +0200 [thread overview]
Message-ID: <20260411085154.1961287-11-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20260410165454.1578501-28-c.ebner@proxmox.com>
Am 10.04.26 um 18:54 schrieb Christian Ebner:
> diff --git a/src/server/pull.rs b/src/server/pull.rs
> @@ -647,6 +704,22 @@ async fn pull_snapshot<'a>(
>
> + // pre-existing local manifest for unencrypted snapshot, never overwrite with encrypted
> + if local_manifest_key_fp.is_some() && crypt_config.is_none() {
> + bail!("local unencrypted snapshot detected, refuse to sync without source decryption");
> + }
This condition looks inverted AFAICT. After decrypt-on-pull the local manifest
has key-fingerprint: null, so manifest.fingerprint() returns None,
local_manifest_key_fp is None, and the is_some() check never fires.
The scenario it should catch: key removed from job after a previous
decrypt-on-pull, remote snapshot changed, local decrypted data gets silently
overwritten with encrypted content.
I think checking local_manifest_file_fp.is_some() (the
change-detection-fingerprint presence) would be the right indicator for this
situation, at least FWICT that field only exists in manifests produced by the
decrypt path (but might warrant a closer check).
> @@ -696,11 +769,38 @@ async fn pull_snapshot<'a>(
>
> + new_manifest.unprotected["key-fingerprint"] = Value::Null;
nit: do we need to set the field explicitly to JSON null rather than removing
it via e.g. `.as_object_mut().unwrap().remove("key-fingerprint")` instead? but
no hard feelings here.
> + new_manifest.unprotected = manifest.unprotected.clone();
nit: this copies verify state from the encrypted source manifest into the
decrypted target. The decryption itself acts as a verification of sorts (AEAD
would catch corruption), so this is fine, but a comment explaining the
reasoning would be IMO nice.
> + info!("Found matching key fingerprint {source_fingerprint}, decrypt on pull");
nit: I'd suggest to also log which key ID matched, not just the fingerprint, as
that's then easier for the admin to cross-reference with the job config.
next prev parent reply other threads:[~2026-04-11 8:51 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 16:54 [PATCH proxmox{,-backup} v2 00/27] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox v2 01/27] pbs-api-types: define en-/decryption key type and schema Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox v2 02/27] pbs-api-types: sync job: add optional cryptographic keys to config Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 03/27] datastore: blob: implement async reader for data blobs Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 04/27] datastore: manifest: add helper for change detection fingerprint Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 05/27] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 06/27] pbs-config: implement encryption key config handling Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 07/27] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 08/27] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 09/27] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 10/27] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 11/27] api: config: check sync owner has access to en-/decryption keys Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 12/27] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 13/27] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 14/27] api: push sync: expose optional encryption key for push sync Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 15/27] sync: push: optionally encrypt data blob on upload Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 16/27] sync: push: optionally encrypt client log on upload if key is given Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 17/27] sync: push: add helper for loading known chunks from previous snapshot Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 18/27] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 19/27] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 20/27] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 21/27] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 22/27] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 23/27] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 24/27] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 25/27] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht
2026-04-10 16:54 ` [PATCH proxmox-backup v2 26/27] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-10 16:54 ` [PATCH proxmox-backup v2 27/27] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-11 8:02 ` Thomas Lamprecht [this message]
2026-04-11 8:02 ` [PATCH proxmox{,-backup} v2 00/27] fix #7251: implement server side encryption support for push sync jobs Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260411085154.1961287-11-t.lamprecht@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox