public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [PATCH pmg-api 04/15] fix #3226: pbs backup: remote: add encryption key support
Date: Wed,  3 Jun 2026 20:03:06 +0200	[thread overview]
Message-ID: <20260603180445.98770-5-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20260603180445.98770-1-s.ivanov@proxmox.com>

semantically this is copied from pve-storage while using
PVE::PBSClient.

tested with `pmgbackup proxmox-backup remote`

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/API2/PBS/Remote.pm | 46 ++++++++++++++++++++++++++++++++++++++
 src/PMG/PBSConfig.pm       |  6 +++++
 2 files changed, 52 insertions(+)

diff --git a/src/PMG/API2/PBS/Remote.pm b/src/PMG/API2/PBS/Remote.pm
index e5d63e68..881ab127 100644
--- a/src/PMG/API2/PBS/Remote.pm
+++ b/src/PMG/API2/PBS/Remote.pm
@@ -3,6 +3,8 @@ package PMG::API2::PBS::Remote;
 use strict;
 use warnings;
 
+use JSON;
+
 use PVE::SafeSyslog;
 use PVE::Tools qw(extract_param);
 use PVE::JSONSchema qw(get_standard_option);
@@ -84,6 +86,26 @@ __PACKAGE__->register_method({
             my $pbs = PVE::PBSClient->new($remotecfg, $remote, $conf->{secret_dir});
             $pbs->set_password($password) if defined($password);
 
+            my $encryption_key = extract_param($remotecfg, 'encryption-key');
+
+            if (defined($encryption_key)) {
+                my $decoded_key;
+                if ($encryption_key eq 'autogen') {
+                    $encryption_key = $pbs->autogen_encryption_key();
+                    $decoded_key = decode_json($encryption_key);
+                } else {
+                    $decoded_key = eval { decode_json($encryption_key) };
+                    if ($@ || !exists($decoded_key->{data})) {
+                        die
+                            "Value does not seems like a valid, JSON formatted encryption key!\n";
+                    }
+                    $pbs->set_encryption_key($encryption_key);
+                }
+                $remotecfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
+            } else {
+                $pbs->delete_encryption_key();
+            }
+
             $ids->{$remote} = $remotecfg;
             $conf->write();
         };
@@ -164,6 +186,9 @@ __PACKAGE__->register_method({
                 if ($opt eq 'password') {
                     $pbs->delete_password();
                 }
+                if ($opt eq 'encryption-key') {
+                    $pbs->delete_encryption_key();
+                }
                 delete $ids->{$remote}->{$opt};
             }
 
@@ -171,6 +196,26 @@ __PACKAGE__->register_method({
                 $pbs->set_password($password);
             }
 
+            if (exists($param->{'encryption-key'})) {
+                if (defined(my $encryption_key = extract_param($param, 'encryption-key'))) {
+                    my $decoded_key;
+                    if ($encryption_key eq 'autogen') {
+                        $encryption_key = $pbs->autogen_encryption_key();
+                        $decoded_key = decode_json($encryption_key);
+                    } else {
+                        $decoded_key = eval { decode_json($encryption_key) };
+                        if ($@ || !exists($decoded_key->{data})) {
+                            die
+                                "Value does not seems like a valid, JSON formatted encryption key!\n";
+                        }
+                        $pbs->set_encryption_key($encryption_key);
+                    }
+                    $param->{'encryption-key'} = $decoded_key->{fingerprint} || 1;
+                } else {
+                    $pbs->delete_encryption_key();
+                }
+            }
+
             my $remoteconfig = PMG::PBSConfig->check_config($remote, $param, 0, 1);
 
             foreach my $p (keys %$remoteconfig) {
@@ -217,6 +262,7 @@ __PACKAGE__->register_method({
 
             my $pbs = PVE::PBSClient->new($ids->{$remote}, $remote, $conf->{secret_dir});
             $pbs->delete_password();
+            $pbs->delete_encryption_key();
             delete $ids->{$remote};
 
             $conf->write();
diff --git a/src/PMG/PBSConfig.pm b/src/PMG/PBSConfig.pm
index 8498893c..4ceb81a3 100644
--- a/src/PMG/PBSConfig.pm
+++ b/src/PMG/PBSConfig.pm
@@ -125,6 +125,11 @@ sub properties {
             type => 'boolean',
             optional => 1,
         },
+        'encryption-key' => {
+            description =>
+                "Encryption key. Use 'autogen' to generate one automatically without passphrase.",
+            type => 'string',
+        },
         %prune_properties,
     };
 }
@@ -147,6 +152,7 @@ sub options {
         'keep-weekly' => { optional => 1 },
         'keep-monthly' => { optional => 1 },
         'keep-yearly' => { optional => 1 },
+        'encryption-key' => { optional => 1 },
     };
 }
 
-- 
2.47.3





  parent reply	other threads:[~2026-06-03 18:05 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-03 18:03 [PATCH pve-common/pmg-api/pmg-docs/pmg-gui 00/15] fix #3226: add support for encrypted backups Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pve-common 01/15] pbs-client: autogen key: rename old one if existing Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pve-common 02/15] pbs-client: add support for master public key Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 03/15] api: pbs remote: fix delete_password invocation Stoiko Ivanov
2026-06-03 18:03 ` Stoiko Ivanov [this message]
2026-06-03 18:03 ` [PATCH pmg-api 05/15] pbs: job: add encrypted state to snapshot listing Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 06/15] pbs: job: add verification " Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 07/15] pmgbackup: add encypted and verification state to output Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 08/15] api: pbs remote create/update: return parts of the configuration Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-api 09/15] api: pmgbackup: add master-pubkey properties Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 10/15] pbs: snapshotview: add missing gettext invocations Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 11/15] utils: copy pbs helpers from pve-manager Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 12/15] fix #3326: ui: pbs remote: add encryption tab to edit window Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 13/15] ui: pbs remote: allow to downloading/print new encryption key Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-gui 14/15] ui: pbs snapshotview: add encryption and verification state Stoiko Ivanov
2026-06-03 18:03 ` [PATCH pmg-docs 15/15] pmgbackup: minimally document support for encrypted backups Stoiko Ivanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260603180445.98770-5-s.ivanov@proxmox.com \
    --to=s.ivanov@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal