From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C39241FF195 for ; Wed, 03 Jun 2026 20:05:09 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1123D1581A; Wed, 3 Jun 2026 20:05:08 +0200 (CEST) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Subject: [PATCH pmg-api 04/15] fix #3226: pbs backup: remote: add encryption key support Date: Wed, 3 Jun 2026 20:03:06 +0200 Message-ID: <20260603180445.98770-5-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260603180445.98770-1-s.ivanov@proxmox.com> References: <20260603180445.98770-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1780509859517 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.087 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: EMXATB4LZPEVIILO22AAYO76V7IUYJXM X-Message-ID-Hash: EMXATB4LZPEVIILO22AAYO76V7IUYJXM X-MailFrom: s.ivanov@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: semantically this is copied from pve-storage while using PVE::PBSClient. tested with `pmgbackup proxmox-backup remote` Signed-off-by: Stoiko Ivanov --- src/PMG/API2/PBS/Remote.pm | 46 ++++++++++++++++++++++++++++++++++++++ src/PMG/PBSConfig.pm | 6 +++++ 2 files changed, 52 insertions(+) diff --git a/src/PMG/API2/PBS/Remote.pm b/src/PMG/API2/PBS/Remote.pm index e5d63e68..881ab127 100644 --- a/src/PMG/API2/PBS/Remote.pm +++ b/src/PMG/API2/PBS/Remote.pm @@ -3,6 +3,8 @@ package PMG::API2::PBS::Remote; use strict; use warnings; +use JSON; + use PVE::SafeSyslog; use PVE::Tools qw(extract_param); use PVE::JSONSchema qw(get_standard_option); @@ -84,6 +86,26 @@ __PACKAGE__->register_method({ my $pbs = PVE::PBSClient->new($remotecfg, $remote, $conf->{secret_dir}); $pbs->set_password($password) if defined($password); + my $encryption_key = extract_param($remotecfg, 'encryption-key'); + + if (defined($encryption_key)) { + my $decoded_key; + if ($encryption_key eq 'autogen') { + $encryption_key = $pbs->autogen_encryption_key(); + $decoded_key = decode_json($encryption_key); + } else { + $decoded_key = eval { decode_json($encryption_key) }; + if ($@ || !exists($decoded_key->{data})) { + die + "Value does not seems like a valid, JSON formatted encryption key!\n"; + } + $pbs->set_encryption_key($encryption_key); + } + $remotecfg->{'encryption-key'} = $decoded_key->{fingerprint} || 1; + } else { + $pbs->delete_encryption_key(); + } + $ids->{$remote} = $remotecfg; $conf->write(); }; @@ -164,6 +186,9 @@ __PACKAGE__->register_method({ if ($opt eq 'password') { $pbs->delete_password(); } + if ($opt eq 'encryption-key') { + $pbs->delete_encryption_key(); + } delete $ids->{$remote}->{$opt}; } @@ -171,6 +196,26 @@ __PACKAGE__->register_method({ $pbs->set_password($password); } + if (exists($param->{'encryption-key'})) { + if (defined(my $encryption_key = extract_param($param, 'encryption-key'))) { + my $decoded_key; + if ($encryption_key eq 'autogen') { + $encryption_key = $pbs->autogen_encryption_key(); + $decoded_key = decode_json($encryption_key); + } else { + $decoded_key = eval { decode_json($encryption_key) }; + if ($@ || !exists($decoded_key->{data})) { + die + "Value does not seems like a valid, JSON formatted encryption key!\n"; + } + $pbs->set_encryption_key($encryption_key); + } + $param->{'encryption-key'} = $decoded_key->{fingerprint} || 1; + } else { + $pbs->delete_encryption_key(); + } + } + my $remoteconfig = PMG::PBSConfig->check_config($remote, $param, 0, 1); foreach my $p (keys %$remoteconfig) { @@ -217,6 +262,7 @@ __PACKAGE__->register_method({ my $pbs = PVE::PBSClient->new($ids->{$remote}, $remote, $conf->{secret_dir}); $pbs->delete_password(); + $pbs->delete_encryption_key(); delete $ids->{$remote}; $conf->write(); diff --git a/src/PMG/PBSConfig.pm b/src/PMG/PBSConfig.pm index 8498893c..4ceb81a3 100644 --- a/src/PMG/PBSConfig.pm +++ b/src/PMG/PBSConfig.pm @@ -125,6 +125,11 @@ sub properties { type => 'boolean', optional => 1, }, + 'encryption-key' => { + description => + "Encryption key. Use 'autogen' to generate one automatically without passphrase.", + type => 'string', + }, %prune_properties, }; } @@ -147,6 +152,7 @@ sub options { 'keep-weekly' => { optional => 1 }, 'keep-monthly' => { optional => 1 }, 'keep-yearly' => { optional => 1 }, + 'encryption-key' => { optional => 1 }, }; } -- 2.47.3