From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup v4 11/30] api: config: add endpoints for encryption key manipulation
Date: Mon, 20 Apr 2026 18:15:14 +0200 [thread overview]
Message-ID: <20260420161533.1055484-12-c.ebner@proxmox.com> (raw)
In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com>
Defines the api endpoints for listing existing keys as defined in the
config, create new keys and archive or remove keys.
New keys are either generated on the server side or uploaded as json
string. Password protected keys are currently not supported and will
be added at a later stage, once a general mechanism for secrets
handling is implemented for PBS.
Keys are archived by setting the `archived-at` timestamp, marking
them as no longer usable for encrypting new content with respective
keys. This is only possible if the key is not in-use as active
encryption key by any sync job.
Removing a key requires for it to be archived first. Further, is only
possible when the key is no longer referenced by a sync job config,
protecting from accidental deletion of an in-use key.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/api2/config/encryption_keys.rs | 231 +++++++++++++++++++++++++++++
src/api2/config/mod.rs | 2 +
2 files changed, 233 insertions(+)
create mode 100644 src/api2/config/encryption_keys.rs
diff --git a/src/api2/config/encryption_keys.rs b/src/api2/config/encryption_keys.rs
new file mode 100644
index 000000000..620eb8f69
--- /dev/null
+++ b/src/api2/config/encryption_keys.rs
@@ -0,0 +1,231 @@
+use anyhow::{bail, format_err, Error};
+use serde_json::Value;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+ Authid, CryptKey, SyncJobConfig, CRYPT_KEY_ID_SCHEMA, PRIV_SYS_AUDIT, PRIV_SYS_MODIFY,
+ PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::encryption_keys::{self, ENCRYPTION_KEYS_CFG_TYPE_ID};
+use pbs_config::CachedUserInfo;
+
+use pbs_key_config::KeyConfig;
+
+#[api(
+ input: {
+ properties: {
+ "include-archived": {
+ type: bool,
+ description: "List also keys which have been archived.",
+ optional: true,
+ default: false,
+ },
+ },
+ },
+ returns: {
+ description: "List of configured encryption keys.",
+ type: Array,
+ items: { type: CryptKey },
+ },
+ access: {
+ permission: &Permission::Anybody,
+ description: "List configured encryption keys filtered by Sys.Audit privileges",
+ },
+)]
+/// List configured encryption keys.
+pub fn list_keys(
+ include_archived: bool,
+ _param: Value,
+ rpcenv: &mut dyn RpcEnvironment,
+) -> Result<Vec<CryptKey>, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
+ let (config, digest) = encryption_keys::config()?;
+
+ let list: Vec<CryptKey> = config.convert_to_typed_array(ENCRYPTION_KEYS_CFG_TYPE_ID)?;
+ let list = list
+ .into_iter()
+ .filter(|key| {
+ if !include_archived && key.archived_at.is_some() {
+ return false;
+ }
+ let privs = user_info.lookup_privs(&auth_id, &["system", "encryption-keys", &key.id]);
+ privs & PRIV_SYS_AUDIT != 0
+ })
+ .collect();
+
+ rpcenv["digest"] = hex::encode(digest).into();
+
+ Ok(list)
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ id: {
+ schema: CRYPT_KEY_ID_SCHEMA,
+ },
+ key: {
+ description: "Use provided key instead of creating new one.",
+ type: String,
+ optional: true,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["system", "encryption-keys"], PRIV_SYS_MODIFY, false),
+ },
+)]
+/// Create new encryption key instance or use the provided one.
+pub fn create_key(
+ id: String,
+ key: Option<String>,
+ _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<KeyConfig, Error> {
+ let key_config = if let Some(key) = &key {
+ let key_config: KeyConfig = serde_json::from_str(key)
+ .map_err(|err| format_err!("failed to parse provided key: {err}"))?;
+ // early detect unusable keys
+ if key_config.kdf.is_some() {
+ bail!("protected keys not supported");
+ }
+ let _ = key_config
+ .decrypt(&|| Ok(Vec::new()))
+ .map_err(|err| format_err!("failed to load provided key: {err}"))?;
+ key_config
+ } else {
+ let mut raw_key = [0u8; 32];
+ proxmox_sys::linux::fill_with_random_data(&mut raw_key)?;
+ KeyConfig::without_password(raw_key)?
+ };
+
+ encryption_keys::store_key(&id, &key_config)?;
+
+ Ok(key_config)
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ id: {
+ schema: CRYPT_KEY_ID_SCHEMA,
+ },
+ digest: {
+ optional: true,
+ schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false),
+ },
+)]
+/// Mark the key by given id as archived, no longer usable to encrypt contents.
+pub fn archive_key(
+ id: String,
+ digest: Option<String>,
+ _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+ let _lock = encryption_keys::lock_config()?;
+ let (mut config, expected_digest) = encryption_keys::config()?;
+
+ pbs_config::detect_modified_configuration_file(digest, &expected_digest)?;
+
+ let mut key: CryptKey = config.lookup(ENCRYPTION_KEYS_CFG_TYPE_ID, &id)?;
+
+ if key.archived_at.is_some() {
+ bail!("key already marked as archived");
+ } else {
+ check_encryption_key_in_use(&id, false)?;
+ }
+
+ key.archived_at = Some(proxmox_time::epoch_i64());
+
+ config.set_data(&id, ENCRYPTION_KEYS_CFG_TYPE_ID, &key)?;
+ // drops config lock
+ encryption_keys::save_config(&config)?;
+
+ Ok(())
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ id: {
+ schema: CRYPT_KEY_ID_SCHEMA,
+ },
+ digest: {
+ optional: true,
+ schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false),
+ },
+)]
+/// Remove encryption key.
+pub fn delete_key(
+ id: String,
+ digest: Option<String>,
+ _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+ let _lock = encryption_keys::lock_config()?;
+ let (config, expected_digest) = encryption_keys::config()?;
+
+ pbs_config::detect_modified_configuration_file(digest, &expected_digest)?;
+
+ check_encryption_key_in_use(&id, true)?;
+
+ encryption_keys::delete_key(&id, config)?;
+
+ Ok(())
+}
+
+// Check if sync jobs hold given key as active encryption key and if flag set, if sync jobs have it
+// as associated key.
+fn check_encryption_key_in_use(id: &str, include_associated: bool) -> Result<(), Error> {
+ let (config, _digest) = pbs_config::sync::config()?;
+
+ let mut used_by_jobs = Vec::new();
+
+ let job_list: Vec<SyncJobConfig> = config.convert_to_typed_array("sync")?;
+ for job in job_list {
+ if job.active_encryption_key.as_deref() == Some(id) {
+ used_by_jobs.push(job.id.clone());
+ }
+ if include_associated
+ && job
+ .associated_key
+ .as_deref()
+ .unwrap_or(&[])
+ .contains(&id.to_string())
+ {
+ used_by_jobs.push(job.id.clone());
+ }
+ }
+
+ if !used_by_jobs.is_empty() {
+ let plural = if used_by_jobs.len() > 1 { "s" } else { "" };
+ let ids = used_by_jobs.join(", ");
+ bail!("encryption key in use by sync job{plural}: '{ids}'");
+ }
+
+ Ok(())
+}
+
+const ITEM_ROUTER: Router = Router::new()
+ .post(&API_METHOD_ARCHIVE_KEY)
+ .delete(&API_METHOD_DELETE_KEY);
+
+pub const ROUTER: Router = Router::new()
+ .get(&API_METHOD_LIST_KEYS)
+ .post(&API_METHOD_CREATE_KEY)
+ .match_all("id", &ITEM_ROUTER);
diff --git a/src/api2/config/mod.rs b/src/api2/config/mod.rs
index 1cd9ead76..0281bcfae 100644
--- a/src/api2/config/mod.rs
+++ b/src/api2/config/mod.rs
@@ -9,6 +9,7 @@ pub mod acme;
pub mod changer;
pub mod datastore;
pub mod drive;
+pub mod encryption_keys;
pub mod media_pool;
pub mod metrics;
pub mod notifications;
@@ -28,6 +29,7 @@ const SUBDIRS: SubdirMap = &sorted!([
("changer", &changer::ROUTER),
("datastore", &datastore::ROUTER),
("drive", &drive::ROUTER),
+ ("encryption-keys", &encryption_keys::ROUTER),
("media-pool", &media_pool::ROUTER),
("metrics", &metrics::ROUTER),
("notifications", ¬ifications::ROUTER),
--
2.47.3
next prev parent reply other threads:[~2026-04-20 16:17 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 16:15 [PATCH proxmox{,-backup} v4 00/30] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 01/30] pbs-api-types: define en-/decryption key type and schema Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 02/30] pbs-api-types: sync job: add optional cryptographic keys to config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 03/30] sync: push: use tracing macros instead of log Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 04/30] datastore: blob: implement async reader for data blobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 05/30] datastore: manifest: add helper for change detection fingerprint Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 06/30] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 07/30] pbs-config: implement encryption key config handling Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 08/30] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 09/30] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 10/30] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-20 16:15 ` Christian Ebner [this message]
2026-04-20 16:15 ` [PATCH proxmox-backup v4 12/30] api: config: check sync owner has access to en-/decryption keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 13/30] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 14/30] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 15/30] api: push sync: expose optional encryption key for push sync Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 16/30] sync: push: optionally encrypt data blob on upload Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 17/30] sync: push: optionally encrypt client log on upload if key is given Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 18/30] sync: push: add helper for loading known chunks from previous snapshot Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 19/30] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 20/30] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 21/30] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 22/30] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 23/30] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 24/30] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 25/30] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 26/30] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 27/30] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 28/30] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 29/30] api: encryption keys: allow to toggle the archived state for keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 30/30] docs: add section describing server side encryption for sync jobs Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420161533.1055484-12-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox