From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 3/6] push: add support for strict encryption checking
Date: Wed, 29 Apr 2026 16:09:24 +0200 [thread overview]
Message-ID: <20260429140941.3537494-4-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20260429140941.3537494-1-f.gruenbichler@proxmox.com>
if enabled, this mode will refuse to sync already encrypted snapshots, unless
they are encrypted using the active encryption key and carry a valid signature.
since pushing now checks the manifest more closely, also log whether synced
pre-encrypted snapshots use a matching key or not if the mode is disabled.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/push.rs | 1 +
src/server/push.rs | 41 ++++++++++++++++++++++++++++++++++++-----
src/server/sync.rs | 1 +
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/src/api2/push.rs b/src/api2/push.rs
index 44629de06..54dc1e4ee 100644
--- a/src/api2/push.rs
+++ b/src/api2/push.rs
@@ -176,6 +176,7 @@ async fn push(
transfer_last,
worker_threads,
encryption_key,
+ None,
)
.await?;
diff --git a/src/server/push.rs b/src/server/push.rs
index dac62c84a..c85654ed1 100644
--- a/src/server/push.rs
+++ b/src/server/push.rs
@@ -97,6 +97,8 @@ pub(crate) struct PushParameters {
/// Encryption key to use for pushing unencrypted backup snapshots. Does not affect
/// already encrypted snapshots.
crypt_config: Option<(String, Arc<CryptConfig>)>,
+ /// Refuse to sync already encrypted snapshots
+ strict_encryption_mode: bool,
}
impl PushParameters {
@@ -118,6 +120,7 @@ impl PushParameters {
transfer_last: Option<usize>,
worker_threads: Option<usize>,
active_encryption_key: Option<String>,
+ strict_encryption_mode: Option<bool>,
) -> Result<Self, Error> {
if let Some(max_depth) = max_depth {
ns.check_max_depth(max_depth)?;
@@ -126,6 +129,7 @@ impl PushParameters {
let remove_vanished = remove_vanished.unwrap_or(false);
let encrypted_only = encrypted_only.unwrap_or(false);
let verified_only = verified_only.unwrap_or(false);
+ let strict_encryption_mode = strict_encryption_mode.unwrap_or(false);
let lookup = crate::tools::lookup_with(store, Operation::Read);
let store = DataStore::lookup_datastore(lookup)?;
@@ -191,6 +195,7 @@ impl PushParameters {
transfer_last,
worker_threads,
crypt_config,
+ strict_encryption_mode,
})
}
@@ -1075,7 +1080,7 @@ pub(crate) async fn push_snapshot(
}
let mut encrypt_using_key = None;
- if params.crypt_config.is_some() {
+ if let Some((id, key)) = params.crypt_config.as_ref() {
// Check if snapshot is fully encrypted or not encrypted at all:
// refuse progress otherwise to upload partially unencrypted contents or mix encryption key.
let files = source_manifest.files();
@@ -1103,10 +1108,36 @@ pub(crate) async fn push_snapshot(
).await?;
return Ok(stats);
} else {
- log_sender.log(
- Level::INFO,
- format!("Snapshot '{snapshot}' already encrypted with client key, not re-encrypting with configured active encryption key"),
- ).await?;
+ let correct_key = source_manifest
+ .fingerprint()
+ .ok()
+ .flatten()
+ .map(|fp| *fp.bytes())
+ == Some(key.fingerprint());
+ if correct_key && source_manifest.check_signature(&key).is_err() {
+ log_sender.log(
+ Level::WARN,
+ format!("Snapshot '{snapshot}' already encrypted with matching key {id}, but signature check failed"),
+ ).await?;
+ return Ok(stats);
+ }
+ if correct_key {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with matching key {id}, syncing as-is"),
+ ).await?;
+ } else if params.strict_encryption_mode {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with different key, strict encryption mode enabled, skip"),
+ ).await?;
+ return Ok(stats);
+ } else {
+ log_sender.log(
+ Level::INFO,
+ format!("Snapshot '{snapshot}' already encrypted with different key, not re-encrypting with configured active encryption key"),
+ ).await?;
+ }
}
}
diff --git a/src/server/sync.rs b/src/server/sync.rs
index f7d96811e..590ad01eb 100644
--- a/src/server/sync.rs
+++ b/src/server/sync.rs
@@ -733,6 +733,7 @@ pub fn do_sync_job(
sync_job.transfer_last,
sync_job.worker_threads,
sync_job.active_encryption_key,
+ None,
)
.await?;
push_store(push_params).await?
--
2.47.3
next prev parent reply other threads:[~2026-04-29 14:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 14:09 [PATCH proxmox{,-backup} 0/6] sync: add strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox 1/6] pbs-api-types: sync job: add strict-encryption-mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 2/6] pull: add support for strict decryption checking Fabian Grünbichler
2026-04-29 14:09 ` Fabian Grünbichler [this message]
2026-04-29 14:09 ` [PATCH proxmox-backup 4/6] sync: wire up strict encryption mode Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 5/6] ui: add strict-encryption-mode to SyncJobEdit window Fabian Grünbichler
2026-04-29 14:09 ` [PATCH proxmox-backup 6/6] docs: sync: add strict encryption mode Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429140941.3537494-4-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox