From: Christian Ebner <c.ebner@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>, pbs-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs
Date: Fri, 3 Apr 2026 10:50:04 +0200 [thread overview]
Message-ID: <f89451f7-2056-4443-9853-c4fbe96b2345@proxmox.com> (raw)
In-Reply-To: <9cee8a5c-993d-4b27-9bcb-16df67a63a76@proxmox.com>
On 4/3/26 10:38 AM, Dominik Csapak wrote:
> high level question before i dive deeper into the ui part:
>
> do the encryption keys have any overlap with tape encryption keys?
>
> we already have a ui for that there. maybe we could unify that?
Not really matching the encryption key handling for the tape, no. We did
not want to allow for password protected encryption keys (discussed of
list with Fabian) and therefore I opted to follow more along the line of
what we do for PVE, at least with respect to the UI.
> Personally it's not a blocker for me, but we should think
> of merging them in the long run. I think it would be better
> to only have one place to create/manage encryption keys (per product)
The encryption keys for tapes are already strongly intertwined with the
code there, I did not feel confident to move keys and configs there.
Rather I would have this as possible breaking change for PBS 5.0, where
we could possibly merge config. Also, it was discussed to have some
better mechanism for secret handling in the future (e.g. for the
password protected keys).
> If it's technically not compatible/viable to merge these in the backend,
> we could still write the gui in a way to only have one place but
> manage two types of keys (with different api paths, etc.)
The key handling there is slightly different though, so not sure if this
will be compatible.
> sorry if that is already answered in one of your patches,but
> just saw the encryption key gui before going in and wanted to write
> that out.
>
> On 4/1/26 9:55 AM, Christian Ebner wrote:
>> This patch series implements support for encrypting backup snapshots
>> when pushing from a source PBS instance to an untrusted remote target
>> PBS instance. Further, it adds support to decrypt snapshots being
>> encrypted on the remote source PBS when pulling the contents to the
>> local target PBS instance. This allows to perform full server side
>> encryption/decryption when syncing with a less trusted remote PBS.
>>
>> In order to encrypt/decrypt snapshots, a new encryption key entity
>> is introduced, to be created as global instance on the PBS, placed and
>> managed by it's own dedicated config. Keys with secret are stored
>> in dedicated files so they only need to be loaded when accessing the
>> key, not for listing of configuration.
>>
>> The sync jobs in push and pull direction are extended to receive an
>> additional encryption key parameter, allowing the given key to be
>> used for encryption/decription of snapshots, depending on the sync
>> direction. In order to encrypt/decrypt the contents, chunks, index
>> files, blobs and manifest are additionally processed, rewritten when
>> required.
>>
>> Link to the bugtracker issue:
>> https://bugzilla.proxmox.com/show_bug.cgi?id=7251
>>
>>
>> proxmox:
>>
>> Christian Ebner (2):
>> pbs-api-types: define encryption key type and schema
>> pbs-api-types: sync job: add optional encryption key to config
>>
>> pbs-api-types/src/jobs.rs | 11 ++++++++--
>> pbs-api-types/src/key_derivation.rs | 34 ++++++++++++++++++++++++++---
>> pbs-api-types/src/lib.rs | 2 +-
>> 3 files changed, 41 insertions(+), 6 deletions(-)
>>
>>
>> proxmox-backup:
>>
>> Christian Ebner (18):
>> pbs-key-config: introduce store_with() for KeyConfig
>> pbs-config: implement encryption key config handling
>> pbs-config: acls: add 'encryption-keys' as valid 'system' subpath
>> ui: expose 'encryption-keys' as acl subpath for 'system'
>> api: config: add endpoints for encryption key manipulation
>> api: config: allow encryption key manipulation for sync job
>> sync: push: rewrite manifest instead of pushing pre-existing one
>> sync: add helper to check encryption key acls and load key
>> fix #7251: api: push: encrypt snapshots using configured encryption
>> key
>> ui: define and expose encryption key management menu item and windows
>> ui: expose assigning encryption key to sync jobs
>> sync: pull: load encryption key if given in job config
>> sync: expand source chunk reader trait by crypt config
>> sync: pull: introduce and use decrypt index writer if crypt config
>> sync: pull: extend encountered chunk by optional decrypted digest
>> sync: pull: decrypt blob files on pull if encryption key is configured
>> sync: pull: decrypt chunks and rewrite index file for matching key
>> sync: pull: decrypt snapshots with matching encryption key fingerprint
>>
>> pbs-config/Cargo.toml | 1 +
>> pbs-config/src/acl.rs | 4 +-
>> pbs-config/src/encryption_keys.rs | 159 +++++++++++
>> pbs-config/src/lib.rs | 1 +
>> pbs-key-config/src/lib.rs | 36 ++-
>> src/api2/config/encryption_keys.rs | 115 ++++++++
>> src/api2/config/mod.rs | 2 +
>> src/api2/config/sync.rs | 10 +
>> src/api2/pull.rs | 15 +-
>> src/api2/push.rs | 14 +-
>> src/server/pull.rs | 416 ++++++++++++++++++++++++-----
>> src/server/push.rs | 222 +++++++++++----
>> src/server/sync.rs | 57 +++-
>> www/Makefile | 3 +
>> www/NavigationTree.js | 6 +
>> www/Utils.js | 1 +
>> www/config/EncryptionKeysView.js | 143 ++++++++++
>> www/form/EncryptionKeySelector.js | 59 ++++
>> www/form/PermissionPathSelector.js | 1 +
>> www/window/EncryptionKeysEdit.js | 382 ++++++++++++++++++++++++++
>> www/window/SyncJobEdit.js | 11 +
>> 21 files changed, 1512 insertions(+), 146 deletions(-)
>> create mode 100644 pbs-config/src/encryption_keys.rs
>> create mode 100644 src/api2/config/encryption_keys.rs
>> create mode 100644 www/config/EncryptionKeysView.js
>> create mode 100644 www/form/EncryptionKeySelector.js
>> create mode 100644 www/window/EncryptionKeysEdit.js
>>
>>
>> Summary over all repositories:
>> 24 files changed, 1553 insertions(+), 152 deletions(-)
>>
>
next prev parent reply other threads:[~2026-04-03 8:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 7:55 Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 01/20] pbs-api-types: define encryption key type and schema Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox 02/20] pbs-api-types: sync job: add optional encryption key to config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 03/20] pbs-key-config: introduce store_with() for KeyConfig Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 04/20] pbs-config: implement encryption key config handling Christian Ebner
2026-04-01 23:27 ` Thomas Lamprecht
2026-04-02 7:09 ` Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 05/20] pbs-config: acls: add 'encryption-keys' as valid 'system' subpath Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 06/20] ui: expose 'encryption-keys' as acl subpath for 'system' Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 07/20] api: config: add endpoints for encryption key manipulation Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 08/20] api: config: allow encryption key manipulation for sync job Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 09/20] sync: push: rewrite manifest instead of pushing pre-existing one Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 10/20] sync: add helper to check encryption key acls and load key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 11/20] fix #7251: api: push: encrypt snapshots using configured encryption key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 12/20] ui: define and expose encryption key management menu item and windows Christian Ebner
2026-04-01 23:09 ` Thomas Lamprecht
2026-04-03 8:35 ` Dominik Csapak
2026-04-01 23:10 ` Thomas Lamprecht
2026-04-03 12:16 ` Dominik Csapak
2026-04-01 7:55 ` [PATCH proxmox-backup 13/20] ui: expose assigning encryption key to sync jobs Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 14/20] sync: pull: load encryption key if given in job config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 15/20] sync: expand source chunk reader trait by crypt config Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 16/20] sync: pull: introduce and use decrypt index writer if " Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 17/20] sync: pull: extend encountered chunk by optional decrypted digest Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 18/20] sync: pull: decrypt blob files on pull if encryption key is configured Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 19/20] sync: pull: decrypt chunks and rewrite index file for matching key Christian Ebner
2026-04-01 7:55 ` [PATCH proxmox-backup 20/20] sync: pull: decrypt snapshots with matching encryption key fingerprint Christian Ebner
2026-04-02 0:25 ` [PATCH proxmox{,-backup} 00/20] fix #7251: implement server side encryption support for push sync jobs Thomas Lamprecht
2026-04-02 7:37 ` Christian Ebner
2026-04-03 8:39 ` Dominik Csapak
2026-04-03 8:50 ` Christian Ebner [this message]
2026-04-03 9:00 ` Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f89451f7-2056-4443-9853-c4fbe96b2345@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox