From: Manuel Federanko <m.federanko@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs
Date: Tue, 7 Apr 2026 17:12:27 +0200 [thread overview]
Message-ID: <b869ae07-600a-497e-a167-e6c5e07e0afb@proxmox.com> (raw)
In-Reply-To: <20260401075521.176354-1-c.ebner@proxmox.com>
On 2026-04-01 9:55 AM, Christian Ebner wrote:
> This patch series implements support for encrypting backup snapshots
> when pushing from a source PBS instance to an untrusted remote target
> PBS instance. Further, it adds support to decrypt snapshots being
> encrypted on the remote source PBS when pulling the contents to the
> local target PBS instance. This allows to perform full server side
> encryption/decryption when syncing with a less trusted remote PBS.
>
> In order to encrypt/decrypt snapshots, a new encryption key entity
> is introduced, to be created as global instance on the PBS, placed and
> managed by it's own dedicated config. Keys with secret are stored
> in dedicated files so they only need to be loaded when accessing the
> key, not for listing of configuration.
>
> The sync jobs in push and pull direction are extended to receive an
> additional encryption key parameter, allowing the given key to be
> used for encryption/decription of snapshots, depending on the sync
> direction. In order to encrypt/decrypt the contents, chunks, index
> files, blobs and manifest are additionally processed, rewritten when
> required.
>
> Link to the bugtracker issue:
> https://bugzilla.proxmox.com/show_bug.cgi?id=7251
>
I just had a go at this, looks good overall, a couple of issues:
it's not possible to not specify a encryption key during sync job
creation, the dialog fails with an error:
> "encryption-key: value must be at least 3 characters long"
it still works via the cli
creating a sync job with a unknown encryption key silently succeeds,
leaving the key unset (via the cli)
nit: the encryption key name length check is inconsistent, I can only
create keys where the name is 4 characters or longer, the check
for a sync job is 3 characters
when removing a encryption key a "unknown error" is displayed to
the user
adding a key which is password protected works, which we could
already check against, to prevent later failures in sync jobs.
a pull sync which had a correct key set will decrypt a backup
switching a key from that pull job (or starting another pull
job with a different key) will mark the backup as corrupt and
re-sync it, replacing the decrypted backup with a encrypted one.
> re-sync snapshot host/tali/2026-04-07T14:35:30Z
> detected changed file "/mnt/datastore/zfs0/host/tali/2026-04-07T14:35:30Z/config.pxar.didx" - wrong checksum for file 'config.pxar.didx'
I'm not sure we even want to allow that since that setup is
inherently at odds.
apologies if some of these issues are already touched upon by the
others.
Other than that it lgtm and works as expected.
next prev parent reply other threads:[~2026-04-07 15:11 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 7:55 Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 01/20] pbs-api-types: define encryption key type and schema Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 02/20] pbs-api-types: sync job: add optional encryption key to config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 03/20] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 04/20] pbs-config: implement encryption key config handling Christian Ebner
2026-04-01 23:27 ` Thomas Lamprecht
2026-04-02 7:09 ` Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 05/20] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 06/20] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 07/20] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 08/20] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 09/20] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 10/20] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 11/20] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 12/20] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-01 23:09 ` Thomas Lamprecht
2026-04-03 8:35 ` Dominik Csapak
2026-04-01 23:10 ` Thomas Lamprecht
2026-04-03 12:16 ` Dominik Csapak
2026-04-01 7:55 ` [PATCH proxmox-backup 13/20] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 14/20] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 15/20] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 16/20] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 17/20] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 18/20] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 19/20] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 20/20] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-02 0:25 ` [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs Thomas Lamprecht
2026-04-02 7:37 ` Christian Ebner
2026-04-08 7:50 ` Fabian Grünbichler
2026-04-08 8:13 ` Christian Ebner
2026-04-08 8:29 ` Thomas Lamprecht
2026-04-08 8:56 ` Christian Ebner
2026-04-08 9:03 ` Fabian Grünbichler
2026-04-03 8:39 ` Dominik Csapak
2026-04-03 8:50 ` Christian Ebner
2026-04-03 9:00 ` Dominik Csapak
2026-04-07 15:12 ` Manuel Federanko [this message]
2026-04-07 16:17 ` Christian Ebner
2026-04-08 7:29 ` David Riley
2026-04-08 15:11 ` Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b869ae07-600a-497e-a167-e6c5e07e0afb@proxmox.com \
--to=m.federanko@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox