From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 228911FF195 for ; Wed, 03 Jun 2026 20:05:39 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5F8E115DD6; Wed, 3 Jun 2026 20:05:34 +0200 (CEST) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Subject: [PATCH pmg-api 09/15] api: pmgbackup: add master-pubkey properties Date: Wed, 3 Jun 2026 20:03:11 +0200 Message-ID: <20260603180445.98770-10-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260603180445.98770-1-s.ivanov@proxmox.com> References: <20260603180445.98770-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1780509859811 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.087 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 3D7PCBVYA2KQHD4WNRBX2WWHK6C37V2L X-Message-ID-Hash: 3D7PCBVYA2KQHD4WNRBX2WWHK6C37V2L X-MailFrom: s.ivanov@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: adapted from pve-storage commit c56f7a7 ("pbs: allow setting up a master key") the actual invocation of proxmox-backup-client with the master-key needs a versioned dependency bump on pve-common. Signed-off-by: Stoiko Ivanov --- src/PMG/API2/PBS/Remote.pm | 28 ++++++++++++++++++++++++++++ src/PMG/CLI/pmgbackup.pm | 15 +++++++++++++-- src/PMG/PBSConfig.pm | 6 ++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/src/PMG/API2/PBS/Remote.pm b/src/PMG/API2/PBS/Remote.pm index b5b9c3ad..397d802b 100644 --- a/src/PMG/API2/PBS/Remote.pm +++ b/src/PMG/API2/PBS/Remote.pm @@ -4,6 +4,7 @@ use strict; use warnings; use JSON; +use MIME::Base64 qw(decode_base64); use PVE::SafeSyslog; use PVE::Tools qw(extract_param); @@ -102,6 +103,7 @@ __PACKAGE__->register_method({ $remote = extract_param($param, 'remote'); die "PBS remote '$remote' already exists\n" if $ids->{$remote}; + my $master_key = extract_param($param, 'master-pubkey'); my $remotecfg = PMG::PBSConfig->check_config($remote, $param, 1); my $password = extract_param($remotecfg, 'password'); @@ -129,6 +131,17 @@ __PACKAGE__->register_method({ $pbs->delete_encryption_key(); } + if (defined($master_key)) { + die "'master-pubkey' can only be used together with 'encryption-key'\n" + if !defined($remotecfg->{'encryption-key'}); + + my $decoded = decode_base64($master_key); + $pbs->set_master_pubkey($decoded); + $remotecfg->{'master-pubkey'} = 1; + } else { + $pbs->delete_master_pubkey(); + } + $ids->{$remote} = $remotecfg; $conf->write(); }; @@ -241,6 +254,9 @@ __PACKAGE__->register_method({ if ($opt eq 'encryption-key') { $pbs->delete_encryption_key(); } + if ($opt eq 'master-pubkey') { + $pbs->delete_master_pubkey(); + } delete $ids->{$remote}->{$opt}; } @@ -268,6 +284,17 @@ __PACKAGE__->register_method({ } } + if (exists($param->{'master-pubkey'})) { + if (defined(my $master_key = extract_param($param, 'master-pubkey'))) { + my $decoded = decode_base64($master_key); + + $pbs->set_master_pubkey($decoded); + $param->{'master-pubkey'} = 1; + } else { + $pbs->delete_master_pubkey(); + } + } + my $remoteconfig = PMG::PBSConfig->check_config($remote, $param, 0, 1); foreach my $p (keys %$remoteconfig) { @@ -322,6 +349,7 @@ __PACKAGE__->register_method({ my $pbs = PVE::PBSClient->new($ids->{$remote}, $remote, $conf->{secret_dir}); $pbs->delete_password(); $pbs->delete_encryption_key(); + $pbs->delete_master_pubkey(); delete $ids->{$remote}; $conf->write(); diff --git a/src/PMG/CLI/pmgbackup.pm b/src/PMG/CLI/pmgbackup.pm index 9ef0c3c7..43428ef2 100644 --- a/src/PMG/CLI/pmgbackup.pm +++ b/src/PMG/CLI/pmgbackup.pm @@ -3,6 +3,8 @@ package PMG::CLI::pmgbackup; use strict; use warnings; +use MIME::Base64 qw(encode_base64); + use PVE::Tools; use PVE::SafeSyslog; use PVE::INotify; @@ -43,9 +45,18 @@ sub param_mapping { }, }; + my $master_key_map = { + name => 'master-pubkey', + desc => 'a file containing a PEM-formatted master public key', + func => sub { + my ($value) = @_; + return encode_base64(PVE::Tools::file_get_contents($value), ''); + }, + }; + my $mapping = { - 'create' => [$password_map, $enc_key_map], - 'update_config' => [$password_map, $enc_key_map], + 'create' => [$password_map, $enc_key_map, $master_key_map], + 'update_config' => [$password_map, $enc_key_map, $master_key_map], }; return $mapping->{$name}; } diff --git a/src/PMG/PBSConfig.pm b/src/PMG/PBSConfig.pm index 4ceb81a3..ec4b5405 100644 --- a/src/PMG/PBSConfig.pm +++ b/src/PMG/PBSConfig.pm @@ -130,6 +130,11 @@ sub properties { "Encryption key. Use 'autogen' to generate one automatically without passphrase.", type => 'string', }, + 'master-pubkey' => { + description => + "Base64-encoded, PEM-formatted public RSA key. Used to encrypt a copy of the encryption-key which will be added to each encrypted backup.", + type => 'string', + }, %prune_properties, }; } @@ -153,6 +158,7 @@ sub options { 'keep-monthly' => { optional => 1 }, 'keep-yearly' => { optional => 1 }, 'encryption-key' => { optional => 1 }, + 'master-pubkey' => { optional => 1 }, }; } -- 2.47.3