Re: [pve-devel] [PATCH-SERIES 0/4] PBS master key integration

From: Fabian Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com,
	"Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Subject: Re: [pve-devel] [PATCH-SERIES 0/4] PBS master key integration
Date: Wed, 12 May 2021 11:54:53 +0200	[thread overview]
Message-ID: <d1ba76c3-5ef1-8a1e-769c-a3dd29ee2f2c@proxmox.com> (raw)
In-Reply-To: <20210208130835.2512356-1-f.gruenbichler@proxmox.com>

Am 08.02.21 um 14:08 schrieb Fabian Grünbichler:
> this series enables master key integration for PVE->PBS, by allowing the
> configuration of a per-storage master key which is used for (encrypted)
> VM and CT backups.
> 
> while the diffs are small, the following bumps/dependencies/.. are required:
> 
> proxmox-backup needs a bump (commits from other series)
> pve-storage needs a bump + a versioned-dep on proxmox-backup-client (new
> CLI parameters)
> qemu-server needs a versioned-dependency on bumped pve-storage (new
> storage plugin methods)
> 
> qemu needs a bump + a versioned-dependency (build + RT) on
> libproxmox-backup-qemu (API change)
> libproxmox-backup-qemu needs a bump + breaks on pre-bump qemu (API
> change)
> 
> it might make sense to queue the libproxmox-backup-qemu and
> proxmox-backup bumps together (the former directly references git of the
> latter at the moment, instead of a tag).
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 

Tried out the series and works as advertised. Test log with a few nits 
(one of them not even about this series, but the PBS docs):

For the storage parameter in the man page:

--master-pubkey a file containing a PEM-formatted master public key 
     Base64-encoded, PEM-formatted public RSA key. Used tp encrypt a 
copy of the encryption-key which will be added to each encrypted backup.

The description might be confusing, as one might wrongly think the file 
has to be base64 encoded. Also, there's a typo: "Used tp encrypt".

Tested storage adding/update/removal with master-pubkey. The update hook 
does not check if there's an encryption key, but the add hook does. 
Maybe we can also check that the file's contents are actually a PEM 
public key?

Tested backup+restore of a VM, with
1) downgraded pve-qemu-kvm=5.1.0-8 libproxmox-backup-qemu0=1.0.2-1
2) storage with master-pubkey but no encryption key
Warnings show up in the log and master key is not used as expected.

Tested backup+restore of a VM and a CT with correctly configured 
storage, also worked as expected.

Removed the encryption key on the storage, restore fails.

Restored the key from the backup with a master key as described in the 
PBS docs. Well, except for using '--kdf none' in the command below, so I 
could actually upload the keyfile to the storage again without running 
into an "Error: no password input mechanism available". From the PBS docs:

6. Then, use the previously generated master key to decrypt the file:

# proxmox-backup-client key import-with-master-key /path/to/target 
--master-keyfile /path/to/master-private.pem --encrypted-keyfile 
/path/to/rsa-encrypted.key

7. The target file will now contain the encryption key information in 
plain text. The success of this can be confirmed by passing the 
resulting json file, with the --keyfile parameter, when decrypting files 
from the backup.

Maybe we should mention something about the kdf, as the "file will now 
contain the encryption key information in plain text" is a bit 
misleading. Technically true, the information about the key is in plain 
text, but not the key itself ;)

Now, restoring worked again. Also recovered the key from the CT backup 
and checked that it matched.