From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [PATCH pmg-api 09/15] api: pmgbackup: add master-pubkey properties
Date: Wed, 3 Jun 2026 20:03:11 +0200 [thread overview]
Message-ID: <20260603180445.98770-10-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20260603180445.98770-1-s.ivanov@proxmox.com>
adapted from pve-storage commit
c56f7a7 ("pbs: allow setting up a master key")
the actual invocation of proxmox-backup-client with the master-key
needs a versioned dependency bump on pve-common.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/API2/PBS/Remote.pm | 28 ++++++++++++++++++++++++++++
src/PMG/CLI/pmgbackup.pm | 15 +++++++++++++--
src/PMG/PBSConfig.pm | 6 ++++++
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/src/PMG/API2/PBS/Remote.pm b/src/PMG/API2/PBS/Remote.pm
index b5b9c3ad..397d802b 100644
--- a/src/PMG/API2/PBS/Remote.pm
+++ b/src/PMG/API2/PBS/Remote.pm
@@ -4,6 +4,7 @@ use strict;
use warnings;
use JSON;
+use MIME::Base64 qw(decode_base64);
use PVE::SafeSyslog;
use PVE::Tools qw(extract_param);
@@ -102,6 +103,7 @@ __PACKAGE__->register_method({
$remote = extract_param($param, 'remote');
die "PBS remote '$remote' already exists\n" if $ids->{$remote};
+ my $master_key = extract_param($param, 'master-pubkey');
my $remotecfg = PMG::PBSConfig->check_config($remote, $param, 1);
my $password = extract_param($remotecfg, 'password');
@@ -129,6 +131,17 @@ __PACKAGE__->register_method({
$pbs->delete_encryption_key();
}
+ if (defined($master_key)) {
+ die "'master-pubkey' can only be used together with 'encryption-key'\n"
+ if !defined($remotecfg->{'encryption-key'});
+
+ my $decoded = decode_base64($master_key);
+ $pbs->set_master_pubkey($decoded);
+ $remotecfg->{'master-pubkey'} = 1;
+ } else {
+ $pbs->delete_master_pubkey();
+ }
+
$ids->{$remote} = $remotecfg;
$conf->write();
};
@@ -241,6 +254,9 @@ __PACKAGE__->register_method({
if ($opt eq 'encryption-key') {
$pbs->delete_encryption_key();
}
+ if ($opt eq 'master-pubkey') {
+ $pbs->delete_master_pubkey();
+ }
delete $ids->{$remote}->{$opt};
}
@@ -268,6 +284,17 @@ __PACKAGE__->register_method({
}
}
+ if (exists($param->{'master-pubkey'})) {
+ if (defined(my $master_key = extract_param($param, 'master-pubkey'))) {
+ my $decoded = decode_base64($master_key);
+
+ $pbs->set_master_pubkey($decoded);
+ $param->{'master-pubkey'} = 1;
+ } else {
+ $pbs->delete_master_pubkey();
+ }
+ }
+
my $remoteconfig = PMG::PBSConfig->check_config($remote, $param, 0, 1);
foreach my $p (keys %$remoteconfig) {
@@ -322,6 +349,7 @@ __PACKAGE__->register_method({
my $pbs = PVE::PBSClient->new($ids->{$remote}, $remote, $conf->{secret_dir});
$pbs->delete_password();
$pbs->delete_encryption_key();
+ $pbs->delete_master_pubkey();
delete $ids->{$remote};
$conf->write();
diff --git a/src/PMG/CLI/pmgbackup.pm b/src/PMG/CLI/pmgbackup.pm
index 9ef0c3c7..43428ef2 100644
--- a/src/PMG/CLI/pmgbackup.pm
+++ b/src/PMG/CLI/pmgbackup.pm
@@ -3,6 +3,8 @@ package PMG::CLI::pmgbackup;
use strict;
use warnings;
+use MIME::Base64 qw(encode_base64);
+
use PVE::Tools;
use PVE::SafeSyslog;
use PVE::INotify;
@@ -43,9 +45,18 @@ sub param_mapping {
},
};
+ my $master_key_map = {
+ name => 'master-pubkey',
+ desc => 'a file containing a PEM-formatted master public key',
+ func => sub {
+ my ($value) = @_;
+ return encode_base64(PVE::Tools::file_get_contents($value), '');
+ },
+ };
+
my $mapping = {
- 'create' => [$password_map, $enc_key_map],
- 'update_config' => [$password_map, $enc_key_map],
+ 'create' => [$password_map, $enc_key_map, $master_key_map],
+ 'update_config' => [$password_map, $enc_key_map, $master_key_map],
};
return $mapping->{$name};
}
diff --git a/src/PMG/PBSConfig.pm b/src/PMG/PBSConfig.pm
index 4ceb81a3..ec4b5405 100644
--- a/src/PMG/PBSConfig.pm
+++ b/src/PMG/PBSConfig.pm
@@ -130,6 +130,11 @@ sub properties {
"Encryption key. Use 'autogen' to generate one automatically without passphrase.",
type => 'string',
},
+ 'master-pubkey' => {
+ description =>
+ "Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.",
+ type => 'string',
+ },
%prune_properties,
};
}
@@ -153,6 +158,7 @@ sub options {
'keep-monthly' => { optional => 1 },
'keep-yearly' => { optional => 1 },
'encryption-key' => { optional => 1 },
+ 'master-pubkey' => { optional => 1 },
};
}
--
2.47.3
next prev parent reply other threads:[~2026-06-03 18:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 18:03 [PATCH pve-common/pmg-api/pmg-docs/pmg-gui 00/15] fix #3226: add support for encrypted backups Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pve-common 01/15] pbs-client: autogen key: rename old one if existing Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pve-common 02/15] pbs-client: add support for master public key Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 03/15] api: pbs remote: fix delete_password invocation Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 04/15] fix #3226: pbs backup: remote: add encryption key support Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 05/15] pbs: job: add encrypted state to snapshot listing Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 06/15] pbs: job: add verification " Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 07/15] pmgbackup: add encypted and verification state to output Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 08/15] api: pbs remote create/update: return parts of the configuration Stoiko Ivanov
2026-06-03 18:03 ` Stoiko Ivanov [this message]
2026-06-03 18:03 ` [PATCH pmg-gui 10/15] pbs: snapshotview: add missing gettext invocations Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 11/15] utils: copy pbs helpers from pve-manager Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 12/15] fix #3326: ui: pbs remote: add encryption tab to edit window Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 13/15] ui: pbs remote: allow to downloading/print new encryption key Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 14/15] ui: pbs snapshotview: add encryption and verification state Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-docs 15/15] pmgbackup: minimally document support for encrypted backups Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603180445.98770-10-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox