From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup v4 28/30] sync: pull: decrypt snapshots with matching encryption key fingerprint
Date: Mon, 20 Apr 2026 18:15:31 +0200 [thread overview]
Message-ID: <20260420161533.1055484-29-c.ebner@proxmox.com> (raw)
In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com>
Decrypt any backup snapshot during pull which was encrypted with a
matching encryption key. Matching of keys is performed by comparing
the fingerprint of the key as stored in the source manifest and the
key configured for the pull sync jobs.
If matching, pass along the key's crypto config to the index and chunk
readers and write the local files unencrypted instead of simply
downloading them. A new manifest file is written instead of the
original one and files registered accordingly.
If the local snapshot already exists (resync), refuse to sync without
decryption if the target snapshot is unencrypted, the source however
encrypted.
To detect file changes for resync, compare the file change
fingerprint calculated on the decrypted files before push sync with
encryption.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/server/pull.rs | 104 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 99 insertions(+), 5 deletions(-)
diff --git a/src/server/pull.rs b/src/server/pull.rs
index aeb82af99..c5924e82b 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -11,6 +11,9 @@ use std::time::SystemTime;
use anyhow::{bail, format_err, Context, Error};
use pbs_tools::crypt_config::CryptConfig;
use proxmox_human_byte::HumanByte;
+use serde_json::Value;
+use tokio::fs::OpenOptions;
+use tokio::io::AsyncWriteExt;
use tracing::{info, warn};
use pbs_api_types::{
@@ -457,12 +460,23 @@ async fn pull_single_archive<'a>(
)
.await?;
if let Some(DecryptedIndexWriter::Dynamic(index)) = &new_index_writer {
- let _csum = index.lock().unwrap().close()?;
+ let csum = index.lock().unwrap().close()?;
// For both cases, with and without rewriting the index the final index is
// persisted with a rename of the tempfile. Therefore, overwrite current
// tempfile here so it will be finally persisted instead.
std::fs::rename(&path, &tmp_path)?;
+
+ if let Some(new_manifest) = new_manifest {
+ let name = archive_name.as_str().try_into()?;
+ // size is identical to original, encrypted index
+ new_manifest.lock().unwrap().add_file(
+ &name,
+ size,
+ csum,
+ CryptMode::None,
+ )?;
+ }
}
sync_stats.add(stats);
@@ -497,12 +511,23 @@ async fn pull_single_archive<'a>(
)
.await?;
if let Some(DecryptedIndexWriter::Fixed(index)) = &new_index_writer {
- let _csum = index.lock().unwrap().close()?;
+ let csum = index.lock().unwrap().close()?;
// For both cases, with and without rewriting the index the final index is
// persisted with a rename of the tempfile. Therefore, overwrite current
// tempfile here so it will be finally persisted instead.
std::fs::rename(&path, &tmp_path)?;
+
+ if let Some(new_manifest) = new_manifest {
+ let name = archive_name.as_str().try_into()?;
+ // size is identical to original, encrypted index
+ new_manifest.lock().unwrap().add_file(
+ &name,
+ size,
+ csum,
+ CryptMode::None,
+ )?;
+ }
}
sync_stats.add(stats);
@@ -621,6 +646,7 @@ async fn pull_snapshot<'a>(
return Ok(sync_stats);
}
+ let mut local_manifest_file_fp = None;
if manifest_name.exists() && !corrupt {
let manifest_blob = proxmox_lang::try_block!({
let mut manifest_file = std::fs::File::open(&manifest_name).map_err(|err| {
@@ -641,12 +667,31 @@ async fn pull_snapshot<'a>(
info!("no data changes");
let _ = std::fs::remove_file(&tmp_manifest_name);
return Ok(sync_stats); // nothing changed
+ } else {
+ let manifest = BackupManifest::try_from(manifest_blob)?;
+ if !params.crypt_configs.is_empty() {
+ let fp = manifest.change_detection_fingerprint()?;
+ local_manifest_file_fp = Some(hex::encode(fp));
+ }
}
}
- let manifest_data = tmp_manifest_blob.raw_data().to_vec();
+ let mut manifest_data = tmp_manifest_blob.raw_data().to_vec();
let manifest = BackupManifest::try_from(tmp_manifest_blob)?;
+ if let Value::String(fp) = &manifest.unprotected["change-detection-fingerprint"] {
+ if let Some(local) = &local_manifest_file_fp {
+ if fp == local {
+ if !client_log_name.exists() {
+ reader.try_download_client_log(&client_log_name).await?;
+ };
+ info!("no data changes");
+ let _ = std::fs::remove_file(&tmp_manifest_name);
+ return Ok(sync_stats);
+ }
+ }
+ }
+
if ignore_not_verified_or_encrypted(
&manifest,
snapshot.dir(),
@@ -663,8 +708,23 @@ async fn pull_snapshot<'a>(
return Ok(sync_stats);
}
- let crypt_config = None;
- let new_manifest = None;
+ let mut crypt_config = None;
+ let mut new_manifest = None;
+ if let Ok(Some(source_fingerprint)) = manifest.fingerprint() {
+ for (key_id, config) in ¶ms.crypt_configs {
+ if config.fingerprint() == *source_fingerprint.bytes() {
+ crypt_config = Some(Arc::clone(config));
+ new_manifest = Some(Arc::new(Mutex::new(BackupManifest::new(snapshot.into()))));
+ info!("Found matching key '{key_id}' with fingerprint {source_fingerprint}, decrypt on pull");
+ break;
+ }
+ }
+ }
+
+ // pre-existing local manifest for unencrypted snapshot, never overwrite with encrypted
+ if local_manifest_file_fp.is_some() && crypt_config.is_none() {
+ bail!("local unencrypted snapshot detected, refuse to sync without source decryption");
+ }
let backend = ¶ms.target.backend;
for item in manifest.files() {
@@ -720,6 +780,40 @@ async fn pull_snapshot<'a>(
sync_stats.add(stats);
}
+ if let Some(new_manifest) = new_manifest {
+ let mut new_manifest = Arc::try_unwrap(new_manifest)
+ .map_err(|_arc| {
+ format_err!("failed to take ownership of still referenced new manifest")
+ })?
+ .into_inner()
+ .unwrap();
+
+ // copy over notes ecc, but drop encryption key fingerprint and verify state, to be
+ // reverified independent from the sync.
+ new_manifest.unprotected = manifest.unprotected.clone();
+ if let Some(unprotected) = new_manifest.unprotected.as_object_mut() {
+ unprotected.remove("change-detection-fingerprint");
+ unprotected.remove("key-fingerprint");
+ unprotected.remove("verify_state");
+ } else {
+ bail!("Encountered unexpected manifest without 'unprotected' section.");
+ }
+
+ let manifest_string = new_manifest.to_string(None)?;
+ let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?;
+ // update contents to be uploaded to backend
+ manifest_data = manifest_blob.raw_data().to_vec();
+
+ let mut tmp_manifest_file = OpenOptions::new()
+ .write(true)
+ .truncate(true) // clear pre-existing manifest content
+ .open(&tmp_manifest_name)
+ .await?;
+ tmp_manifest_file.write_all(&manifest_data).await?;
+ tmp_manifest_file.flush().await?;
+ nix::unistd::fsync(tmp_manifest_file.as_raw_fd())?;
+ }
+
if let Err(err) = std::fs::rename(&tmp_manifest_name, &manifest_name) {
bail!("Atomic rename file {:?} failed - {}", manifest_name, err);
}
--
2.47.3
next prev parent reply other threads:[~2026-04-20 16:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 16:15 [PATCH proxmox{,-backup} v4 00/30] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 01/30] pbs-api-types: define en-/decryption key type and schema Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox v4 02/30] pbs-api-types: sync job: add optional cryptographic keys to config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 03/30] sync: push: use tracing macros instead of log Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 04/30] datastore: blob: implement async reader for data blobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 05/30] datastore: manifest: add helper for change detection fingerprint Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 06/30] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 07/30] pbs-config: implement encryption key config handling Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 08/30] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 09/30] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 10/30] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 11/30] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 12/30] api: config: check sync owner has access to en-/decryption keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 13/30] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 14/30] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 15/30] api: push sync: expose optional encryption key for push sync Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 16/30] sync: push: optionally encrypt data blob on upload Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 17/30] sync: push: optionally encrypt client log on upload if key is given Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 18/30] sync: push: add helper for loading known chunks from previous snapshot Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 19/30] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 20/30] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 21/30] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 22/30] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 23/30] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 24/30] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 25/30] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 26/30] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 27/30] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-20 16:15 ` Christian Ebner [this message]
2026-04-20 16:15 ` [PATCH proxmox-backup v4 29/30] api: encryption keys: allow to toggle the archived state for keys Christian Ebner
2026-04-20 16:15 ` [PATCH proxmox-backup v4 30/30] docs: add section describing server side encryption for sync jobs Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420161533.1055484-29-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox