From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 353237B531 for ; Wed, 12 May 2021 11:55:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2BEE5B975 for ; Wed, 12 May 2021 11:55:01 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 28D30B96A for ; Wed, 12 May 2021 11:55:00 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0963C4654F for ; Wed, 12 May 2021 11:55:00 +0200 (CEST) To: pve-devel@lists.proxmox.com, =?UTF-8?Q?Fabian_Gr=c3=bcnbichler?= References: <20210208130835.2512356-1-f.gruenbichler@proxmox.com> From: Fabian Ebner Message-ID: Date: Wed, 12 May 2021 11:54:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: <20210208130835.2512356-1-f.gruenbichler@proxmox.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.003 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH-SERIES 0/4] PBS master key integration X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2021 09:55:31 -0000 Am 08.02.21 um 14:08 schrieb Fabian Grünbichler: > this series enables master key integration for PVE->PBS, by allowing the > configuration of a per-storage master key which is used for (encrypted) > VM and CT backups. > > while the diffs are small, the following bumps/dependencies/.. are required: > > proxmox-backup needs a bump (commits from other series) > pve-storage needs a bump + a versioned-dep on proxmox-backup-client (new > CLI parameters) > qemu-server needs a versioned-dependency on bumped pve-storage (new > storage plugin methods) > > qemu needs a bump + a versioned-dependency (build + RT) on > libproxmox-backup-qemu (API change) > libproxmox-backup-qemu needs a bump + breaks on pre-bump qemu (API > change) > > it might make sense to queue the libproxmox-backup-qemu and > proxmox-backup bumps together (the former directly references git of the > latter at the moment, instead of a tag). > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > Tried out the series and works as advertised. Test log with a few nits (one of them not even about this series, but the PBS docs): For the storage parameter in the man page: --master-pubkey a file containing a PEM-formatted master public key Base64-encoded, PEM-formatted public RSA key. Used tp encrypt a copy of the encryption-key which will be added to each encrypted backup. The description might be confusing, as one might wrongly think the file has to be base64 encoded. Also, there's a typo: "Used tp encrypt". Tested storage adding/update/removal with master-pubkey. The update hook does not check if there's an encryption key, but the add hook does. Maybe we can also check that the file's contents are actually a PEM public key? Tested backup+restore of a VM, with 1) downgraded pve-qemu-kvm=5.1.0-8 libproxmox-backup-qemu0=1.0.2-1 2) storage with master-pubkey but no encryption key Warnings show up in the log and master key is not used as expected. Tested backup+restore of a VM and a CT with correctly configured storage, also worked as expected. Removed the encryption key on the storage, restore fails. Restored the key from the backup with a master key as described in the PBS docs. Well, except for using '--kdf none' in the command below, so I could actually upload the keyfile to the storage again without running into an "Error: no password input mechanism available". From the PBS docs: 6. Then, use the previously generated master key to decrypt the file: # proxmox-backup-client key import-with-master-key /path/to/target --master-keyfile /path/to/master-private.pem --encrypted-keyfile /path/to/rsa-encrypted.key 7. The target file will now contain the encryption key information in plain text. The success of this can be confirmed by passing the resulting json file, with the --keyfile parameter, when decrypting files from the backup. Maybe we should mention something about the kdf, as the "file will now contain the encryption key information in plain text" is a bit misleading. Technically true, the information about the key is in plain text, but not the key itself ;) Now, restoring worked again. Also recovered the key from the CT backup and checked that it matched.