]> git.proxmox.com Git - proxmox-backup.git/blob - src/bin/proxmox_backup_client/key.rs
projects / proxmox-backup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
paperkey: move code to src/tools/paperkey.rs
[proxmox-backup.git] / src / bin / proxmox_backup_client / key.rs
1 use std::path::PathBuf;
2
3 use anyhow::{bail, format_err, Error};
4 use serde_json::Value;
5
6 use proxmox::api::api;
7 use proxmox::api::cli::{
8 ColumnConfig,
9 CliCommand,
10 CliCommandMap,
11 format_and_print_result_full,
12 get_output_format,
13 OUTPUT_FORMAT,
14 };
15 use proxmox::api::router::ReturnType;
16 use proxmox::sys::linux::tty;
17 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
18
19 use proxmox_backup::{
20 tools::paperkey::{
21 PaperkeyFormat,
22 generate_paper_key,
23 },
24 api2::types::{
25 PASSWORD_HINT_SCHEMA,
26 KeyInfo,
27 Kdf,
28 },
29 backup::{
30 rsa_decrypt_key_config,
31 KeyConfig,
32 },
33 tools,
34 };
35
36 pub const DEFAULT_ENCRYPTION_KEY_FILE_NAME: &str = "encryption-key.json";
37 pub const MASTER_PUBKEY_FILE_NAME: &str = "master-public.pem";
38
39 pub fn find_master_pubkey() -> Result<Option<PathBuf>, Error> {
40 super::find_xdg_file(MASTER_PUBKEY_FILE_NAME, "main public key file")
41 }
42
43 pub fn place_master_pubkey() -> Result<PathBuf, Error> {
44 super::place_xdg_file(MASTER_PUBKEY_FILE_NAME, "main public key file")
45 }
46
47 pub fn find_default_encryption_key() -> Result<Option<PathBuf>, Error> {
48 super::find_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file")
49 }
50
51 pub fn place_default_encryption_key() -> Result<PathBuf, Error> {
52 super::place_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file")
53 }
54
55 pub fn read_optional_default_encryption_key() -> Result<Option<Vec<u8>>, Error> {
56 find_default_encryption_key()?
57 .map(file_get_contents)
58 .transpose()
59 }
60
61 pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
62 // fixme: implement other input methods
63
64 use std::env::VarError::*;
65 match std::env::var("PBS_ENCRYPTION_PASSWORD") {
66 Ok(p) => return Ok(p.as_bytes().to_vec()),
67 Err(NotUnicode(_)) => bail!("PBS_ENCRYPTION_PASSWORD contains bad characters"),
68 Err(NotPresent) => {
69 // Try another method
70 }
71 }
72
73 // If we're on a TTY, query the user for a password
74 if tty::stdin_isatty() {
75 return Ok(tty::read_password("Encryption Key Password: ")?);
76 }
77
78 bail!("no password input mechanism available");
79 }
80
81 #[api(
82 input: {
83 properties: {
84 kdf: {
85 type: Kdf,
86 optional: true,
87 },
88 path: {
89 description:
90 "Output file. Without this the key will become the new default encryption key.",
91 optional: true,
92 },
93 hint: {
94 schema: PASSWORD_HINT_SCHEMA,
95 optional: true,
96 },
97 },
98 },
99 )]
100 /// Create a new encryption key.
101 fn create(
102 kdf: Option<Kdf>,
103 path: Option<String>,
104 hint: Option<String>
105 ) -> Result<(), Error> {
106 let path = match path {
107 Some(path) => PathBuf::from(path),
108 None => {
109 let path = place_default_encryption_key()?;
110 println!("creating default key at: {:?}", path);
111 path
112 }
113 };
114
115 let kdf = kdf.unwrap_or_default();
116
117 let mut key = [0u8; 32];
118 proxmox::sys::linux::fill_with_random_data(&mut key)?;
119
120 match kdf {
121 Kdf::None => {
122 if hint.is_some() {
123 bail!("password hint not allowed for Kdf::None");
124 }
125
126 let key_config = KeyConfig::without_password(key)?;
127
128 key_config.store(path, false)?;
129 }
130 Kdf::Scrypt | Kdf::PBKDF2 => {
131 // always read passphrase from tty
132 if !tty::stdin_isatty() {
133 bail!("unable to read passphrase - no tty");
134 }
135
136 let password = tty::read_and_verify_password("Encryption Key Password: ")?;
137
138 let mut key_config = KeyConfig::with_key(&key, &password, kdf)?;
139 key_config.hint = hint;
140
141 key_config.store(&path, false)?;
142 }
143 }
144
145 Ok(())
146 }
147
148 #[api(
149 input: {
150 properties: {
151 "master-keyfile": {
152 description: "(Private) master key to use.",
153 },
154 "encrypted-keyfile": {
155 description: "RSA-encrypted keyfile to import.",
156 },
157 kdf: {
158 type: Kdf,
159 optional: true,
160 },
161 "path": {
162 description:
163 "Output file. Without this the key will become the new default encryption key.",
164 optional: true,
165 },
166 hint: {
167 schema: PASSWORD_HINT_SCHEMA,
168 optional: true,
169 },
170 },
171 },
172 )]
173 /// Import an encrypted backup of an encryption key using a (private) master key.
174 async fn import_with_master_key(
175 master_keyfile: String,
176 encrypted_keyfile: String,
177 kdf: Option<Kdf>,
178 path: Option<String>,
179 hint: Option<String>,
180 ) -> Result<(), Error> {
181 let path = match path {
182 Some(path) => PathBuf::from(path),
183 None => {
184 let path = place_default_encryption_key()?;
185 if path.exists() {
186 bail!("Please remove default encryption key at {:?} before importing to default location (or choose a non-default one).", path);
187 }
188 println!("Importing key to default location at: {:?}", path);
189 path
190 }
191 };
192
193 let encrypted_key = file_get_contents(&encrypted_keyfile)?;
194 let master_key = file_get_contents(&master_keyfile)?;
195 let password = tty::read_password("Master Key Password: ")?;
196
197 let master_key =
198 openssl::pkey::PKey::private_key_from_pem_passphrase(&master_key, &password)
199 .map_err(|err| format_err!("failed to read PEM-formatted private key - {}", err))?
200 .rsa()
201 .map_err(|err| format_err!("not a valid private RSA key - {}", err))?;
202
203 let (key, created, _fingerprint) =
204 rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?;
205
206 let kdf = kdf.unwrap_or_default();
207 match kdf {
208 Kdf::None => {
209 if hint.is_some() {
210 bail!("password hint not allowed for Kdf::None");
211 }
212
213 let mut key_config = KeyConfig::without_password(key)?;
214 key_config.created = created; // keep original value
215
216 key_config.store(path, true)?;
217
218 }
219 Kdf::Scrypt | Kdf::PBKDF2 => {
220 let password = tty::read_and_verify_password("New Password: ")?;
221
222 let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
223 new_key_config.created = created; // keep original value
224 new_key_config.hint = hint;
225
226 new_key_config.store(path, true)?;
227 }
228 }
229
230 Ok(())
231 }
232
233 #[api(
234 input: {
235 properties: {
236 kdf: {
237 type: Kdf,
238 optional: true,
239 },
240 path: {
241 description: "Key file. Without this the default key's password will be changed.",
242 optional: true,
243 },
244 hint: {
245 schema: PASSWORD_HINT_SCHEMA,
246 optional: true,
247 },
248 },
249 },
250 )]
251 /// Change the encryption key's password.
252 fn change_passphrase(
253 kdf: Option<Kdf>,
254 path: Option<String>,
255 hint: Option<String>,
256 ) -> Result<(), Error> {
257 let path = match path {
258 Some(path) => PathBuf::from(path),
259 None => {
260 let path = find_default_encryption_key()?
261 .ok_or_else(|| {
262 format_err!("no encryption file provided and no default file found")
263 })?;
264 println!("updating default key at: {:?}", path);
265 path
266 }
267 };
268
269 let kdf = kdf.unwrap_or_default();
270
271 if !tty::stdin_isatty() {
272 bail!("unable to change passphrase - no tty");
273 }
274
275 let key_config = KeyConfig::load(&path)?;
276 let (key, created, _fingerprint) = key_config.decrypt(&get_encryption_key_password)?;
277
278 match kdf {
279 Kdf::None => {
280 if hint.is_some() {
281 bail!("password hint not allowed for Kdf::None");
282 }
283
284 let mut key_config = KeyConfig::without_password(key)?;
285 key_config.created = created; // keep original value
286
287 key_config.store(&path, true)?;
288 }
289 Kdf::Scrypt | Kdf::PBKDF2 => {
290 let password = tty::read_and_verify_password("New Password: ")?;
291
292 let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
293 new_key_config.created = created; // keep original value
294 new_key_config.hint = hint;
295
296 new_key_config.store(&path, true)?;
297 }
298 }
299
300 Ok(())
301 }
302
303 #[api(
304 input: {
305 properties: {
306 path: {
307 description: "Key file. Without this the default key's metadata will be shown.",
308 optional: true,
309 },
310 "output-format": {
311 schema: OUTPUT_FORMAT,
312 optional: true,
313 },
314 },
315 },
316 )]
317 /// Print the encryption key's metadata.
318 fn show_key(
319 path: Option<String>,
320 param: Value,
321 ) -> Result<(), Error> {
322 let path = match path {
323 Some(path) => PathBuf::from(path),
324 None => {
325 let path = find_default_encryption_key()?
326 .ok_or_else(|| {
327 format_err!("no encryption file provided and no default file found")
328 })?;
329 path
330 }
331 };
332
333
334 let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?;
335
336 let output_format = get_output_format(&param);
337
338 let mut info: KeyInfo = (&config).into();
339 info.path = Some(format!("{:?}", path));
340
341 let options = proxmox::api::cli::default_table_format_options()
342 .column(ColumnConfig::new("path"))
343 .column(ColumnConfig::new("kdf"))
344 .column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
345 .column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
346 .column(ColumnConfig::new("fingerprint"))
347 .column(ColumnConfig::new("hint"));
348
349 let return_type = ReturnType::new(false, &KeyInfo::API_SCHEMA);
350
351 format_and_print_result_full(
352 &mut serde_json::to_value(info)?,
353 &return_type,
354 &output_format,
355 &options,
356 );
357
358 Ok(())
359 }
360
361 #[api(
362 input: {
363 properties: {
364 path: {
365 description: "Path to the PEM formatted RSA public key.",
366 },
367 },
368 },
369 )]
370 /// Import an RSA public key used to put an encrypted version of the symmetric backup encryption
371 /// key onto the backup server along with each backup.
372 fn import_master_pubkey(path: String) -> Result<(), Error> {
373 let pem_data = file_get_contents(&path)?;
374
375 if let Err(err) = openssl::pkey::PKey::public_key_from_pem(&pem_data) {
376 bail!("Unable to decode PEM data - {}", err);
377 }
378
379 let target_path = place_master_pubkey()?;
380
381 replace_file(&target_path, &pem_data, CreateOptions::new())?;
382
383 println!("Imported public master key to {:?}", target_path);
384
385 Ok(())
386 }
387
388 #[api]
389 /// Create an RSA public/private key pair used to put an encrypted version of the symmetric backup
390 /// encryption key onto the backup server along with each backup.
391 fn create_master_key() -> Result<(), Error> {
392 // we need a TTY to query the new password
393 if !tty::stdin_isatty() {
394 bail!("unable to create master key - no tty");
395 }
396
397 let rsa = openssl::rsa::Rsa::generate(4096)?;
398 let pkey = openssl::pkey::PKey::from_rsa(rsa)?;
399
400 let password = String::from_utf8(tty::read_and_verify_password("Master Key Password: ")?)?;
401
402 let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
403 let filename_pub = "master-public.pem";
404 println!("Writing public master key to {}", filename_pub);
405 replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;
406
407 let cipher = openssl::symm::Cipher::aes_256_cbc();
408 let priv_key: Vec<u8> = pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?;
409
410 let filename_priv = "master-private.pem";
411 println!("Writing private master key to {}", filename_priv);
412 replace_file(filename_priv, priv_key.as_slice(), CreateOptions::new())?;
413
414 Ok(())
415 }
416
417 #[api(
418 input: {
419 properties: {
420 path: {
421 description: "Key file. Without this the default key's will be used.",
422 optional: true,
423 },
424 subject: {
425 description: "Include the specified subject as titel text.",
426 optional: true,
427 },
428 "output-format": {
429 type: PaperkeyFormat,
430 optional: true,
431 },
432 },
433 },
434 )]
435 /// Generate a printable, human readable text file containing the encryption key.
436 ///
437 /// This also includes a scanable QR code for fast key restore.
438 fn paper_key(
439 path: Option<String>,
440 subject: Option<String>,
441 output_format: Option<PaperkeyFormat>,
442 ) -> Result<(), Error> {
443 let path = match path {
444 Some(path) => PathBuf::from(path),
445 None => {
446 let path = find_default_encryption_key()?
447 .ok_or_else(|| {
448 format_err!("no encryption file provided and no default file found")
449 })?;
450 path
451 }
452 };
453
454 let data = file_get_contents(&path)?;
455 let data = String::from_utf8(data)?;
456
457 generate_paper_key(std::io::stdout(), &data, subject, output_format)
458 }
459
460 pub fn cli() -> CliCommandMap {
461 let key_create_cmd_def = CliCommand::new(&API_METHOD_CREATE)
462 .arg_param(&["path"])
463 .completion_cb("path", tools::complete_file_name);
464
465 let key_import_with_master_key_cmd_def = CliCommand::new(&API_METHOD_IMPORT_WITH_MASTER_KEY)
466 .arg_param(&["master-keyfile"])
467 .completion_cb("master-keyfile", tools::complete_file_name)
468 .arg_param(&["encrypted-keyfile"])
469 .completion_cb("encrypted-keyfile", tools::complete_file_name)
470 .arg_param(&["path"])
471 .completion_cb("path", tools::complete_file_name);
472
473 let key_change_passphrase_cmd_def = CliCommand::new(&API_METHOD_CHANGE_PASSPHRASE)
474 .arg_param(&["path"])
475 .completion_cb("path", tools::complete_file_name);
476
477 let key_create_master_key_cmd_def = CliCommand::new(&API_METHOD_CREATE_MASTER_KEY);
478 let key_import_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_IMPORT_MASTER_PUBKEY)
479 .arg_param(&["path"])
480 .completion_cb("path", tools::complete_file_name);
481
482 let key_show_cmd_def = CliCommand::new(&API_METHOD_SHOW_KEY)
483 .arg_param(&["path"])
484 .completion_cb("path", tools::complete_file_name);
485
486 let paper_key_cmd_def = CliCommand::new(&API_METHOD_PAPER_KEY)
487 .arg_param(&["path"])
488 .completion_cb("path", tools::complete_file_name);
489
490 CliCommandMap::new()
491 .insert("create", key_create_cmd_def)
492 .insert("import-with-master-key", key_import_with_master_key_cmd_def)
493 .insert("create-master-key", key_create_master_key_cmd_def)
494 .insert("import-master-pubkey", key_import_master_pubkey_cmd_def)
495 .insert("change-passphrase", key_change_passphrase_cmd_def)
496 .insert("show", key_show_cmd_def)
497 .insert("paperkey", paper_key_cmd_def)
498 }
Proxmox Backup Server and Client