Re: [pbs-devel] [PATCH proxmox-backup 4/4] fix #7219: client: mount: align encryption key loading behavior

[Daniel Herzig <d.herzig@proxmox.com>]

Thanks -- I just gave this a quick spin and works as expected here (no 
need to pass the default key location anymore).

Tested-by: Daniel Herzig <d.herzig@proxmox.com>

On 1/8/26 4:25 PM, Christian Ebner wrote:
> The mount subcommand currently does not load the encrypton key from
> the default key location, requiring to explicitley set the `keyfile`
> parameter on command invocation.
>
> Align the behaviour to the rest of the client commands by using the
> pbs_client::tools::key_source::crypto_parameters helper to load the
> key instead.
>
> The same current behaviour for the benchmark command is not touched,
> as there loading the encryption key should always be conrolled by
> explicitley setting it, to avoid possible pitfalls.
>
> Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7219
> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
> ---
>   proxmox-backup-client/src/mount.rs | 24 ++++++++++++++----------
>   1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/proxmox-backup-client/src/mount.rs b/proxmox-backup-client/src/mount.rs
> index fa3385597..e815c8a9c 100644
> --- a/proxmox-backup-client/src/mount.rs
> +++ b/proxmox-backup-client/src/mount.rs
> @@ -2,7 +2,7 @@ use std::collections::HashMap;
>   use std::ffi::OsStr;
>   use std::hash::BuildHasher;
>   use std::os::unix::io::{AsRawFd, OwnedFd};
> -use std::path::{Path, PathBuf};
> +use std::path::Path;
>   use std::sync::Arc;
>   
>   use anyhow::{bail, format_err, Error};
> @@ -18,11 +18,13 @@ use proxmox_schema::*;
>   use proxmox_sortable_macro::sortable;
>   
>   use pbs_api_types::{ArchiveType, BackupArchiveName, BackupNamespace};
> -use pbs_client::tools::key_source::get_encryption_key_password;
> +use pbs_client::tools::key_source::{
> +    crypto_parameters, format_key_source, get_encryption_key_password,
> +};
>   use pbs_client::{BackupReader, RemoteChunkReader};
>   use pbs_datastore::cached_chunk_reader::CachedChunkReader;
>   use pbs_datastore::index::IndexFile;
> -use pbs_key_config::load_and_decrypt_key;
> +use pbs_key_config::decrypt_key;
>   use pbs_tools::crypt_config::CryptConfig;
>   use pbs_tools::json::required_string_param;
>   
> @@ -208,14 +210,16 @@ async fn mount_do(param: Value, pipe: Option<OwnedFd>) -> Result<Value, Error> {
>       let path = required_string_param(&param, "snapshot")?;
>       let backup_dir = dir_or_last_from_group(&client, &repo, &backup_ns, path).await?;
>   
> -    let keyfile = param["keyfile"].as_str().map(PathBuf::from);
> -    let crypt_config = match keyfile {
> +    let crypto = crypto_parameters(&param)?;
> +
> +    let crypt_config = match crypto.enc_key {
>           None => None,
> -        Some(path) => {
> -            log::info!("Encryption key file: '{:?}'", path);
> -            let (key, _, fingerprint) = load_and_decrypt_key(&path, &get_encryption_key_password)?;
> -            log::info!("Encryption key fingerprint: '{}'", fingerprint);
> -            Some(Arc::new(CryptConfig::new(key)?))
> +        Some(key) => {
> +            log::info!("{}", format_key_source(&key.source, "encryption"));
> +            let (key, _created, fingerprint) = decrypt_key(&key.key, &get_encryption_key_password)?;
> +            log::info!("Encryption key fingerprint: '{fingerprint}'");
> +            let crypt_config = CryptConfig::new(key)?;
> +            Some(Arc::new(crypt_config))
>           }
>       };
>   


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel