Re: [PATCH proxmox-backup v3 07/30] pbs-config: implement encryption key config handling

public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: "Daniel Kral" <d.kral@proxmox.com>
To: "Christian Ebner" <c.ebner@proxmox.com>,
	"Michael Köppl" <m.koeppl@proxmox.com>,
	pbs-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox-backup v3 07/30] pbs-config: implement encryption key config handling
Date: Wed, 15 Apr 2026 10:03:51 +0200	[thread overview]
Message-ID: <DHTKM1A9RK5U.1D1HZEWOUGHDE@proxmox.com> (raw)
In-Reply-To: <576f8999-1a20-417a-9c6d-ec79467661da@proxmox.com>

On Wed Apr 15, 2026 at 8:48 AM CEST, Christian Ebner wrote:
> On 4/14/26 4:31 PM, Michael Köppl wrote:
>> 2 comments inline
>> 
>> On Tue Apr 14, 2026 at 2:59 PM CEST, Christian Ebner wrote:
>> 
>> [snip]
>> 
>>> +/// Store the encryption key to file.
>>> +///
>>> +/// Inserts the key in the config and stores it to the given file.
>>> +pub fn store_key(id: &str, key: &KeyConfig) -> Result<(), Error> {
>>> +    let _lock = lock_config()?;
>>> +    let (mut config, _digest) = config()?;
>>> +
>>> +    if config.sections.contains_key(id) {
>>> +        bail!("key with id '{id}' already exists.");
>>> +    }
>>> +
>>> +    let backup_user = crate::backup_user()?;
>>> +    let dir_options = CreateOptions::new()
>>> +        .perm(Mode::from_bits_truncate(0o0750))
>>> +        .owner(Uid::from_raw(0))
>>> +        .group(backup_user.gid);
>>> +
>>> +    proxmox_sys::fs::ensure_dir_exists(ENCRYPTION_KEYS_DIR, &dir_options, true)?;
>>> +
>>> +    let key_path = format!("{ENCRYPTION_KEYS_DIR}{id}.enc");
>>> +    let key_lock_path = format!("{key_path}.lck");
>>> +
>>> +    // lock to avoid race with key deletion
>>> +    open_backup_lockfile(&key_lock_path, None, true)?;
>> 
>> This needs to be assigned to a variable, no? Otherwise, the lock would
>> be immediately dropped.
>
> Oh, good catch! Indeed without this the lock would be immediately 
> dropped, will be fixed. Thanks!
>

Would it make sense to add a #[must_use = "..."] attribute [0] to
open_backup_lockfile() or even the BackupLockGuard in general or would
it be too strict here?

[0] https://doc.rust-lang.org/reference/attributes/diagnostics.html#the-must_use-attribute

>> 
>> In other places we have something like let _lock = lock_config()?;
>>

next prev parent reply	other threads:[~2026-04-15  8:04 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-14 12:58 [PATCH proxmox{,-backup} v3 00/30] fix #7251: implement server side encryption support for push sync jobs Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox v3 01/30] pbs-api-types: define en-/decryption key type and schema Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox v3 02/30] pbs-api-types: sync job: add optional cryptographic keys to config Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox-backup v3 03/30] sync: push: use tracing macros instead of log Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox-backup v3 04/30] datastore: blob: implement async reader for data blobs Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox-backup v3 05/30] datastore: manifest: add helper for change detection fingerprint Christian Ebner
2026-04-14 12:58 ` [PATCH proxmox-backup v3 06/30] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 07/30] pbs-config: implement encryption key config handling Christian Ebner
2026-04-14 14:32   ` Michael Köppl
2026-04-15  6:48     ` Christian Ebner
2026-04-15  8:03       ` Daniel Kral [this message]
2026-04-15  8:21         ` Christian Ebner
2026-04-15  8:06       ` Thomas Lamprecht
2026-04-14 12:59 ` [PATCH proxmox-backup v3 08/30] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 09/30] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 10/30] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 11/30] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 12/30] api: config: check sync owner has access to en-/decryption keys Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 13/30] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 14/30] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 15/30] api: push sync: expose optional encryption key for push sync Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 16/30] sync: push: optionally encrypt data blob on upload Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 17/30] sync: push: optionally encrypt client log on upload if key is given Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 18/30] sync: push: add helper for loading known chunks from previous snapshot Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 19/30] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-15 14:49   ` Michael Köppl
2026-04-15 15:25     ` Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 20/30] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 21/30] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-15 14:49   ` Michael Köppl
2026-04-15 15:20     ` Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 22/30] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 23/30] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 24/30] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 25/30] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 26/30] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 27/30] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 28/30] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 29/30] api: encryption keys: allow to toggle the archived state for keys Christian Ebner
2026-04-14 12:59 ` [PATCH proxmox-backup v3 30/30] docs: add section describing server side encryption for sync jobs Christian Ebner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DHTKM1A9RK5U.1D1HZEWOUGHDE@proxmox.com \
    --to=d.kral@proxmox.com \
    --cc=c.ebner@proxmox.com \
    --cc=m.koeppl@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal