]> git.proxmox.com Git - qemu-server.git/blobdiff - PVE/VZDump/QemuServer.pm
projects / qemu-server.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
vzdump: pbs: factor out getting and checking encryption keys
[qemu-server.git] / PVE / VZDump / QemuServer.pm
diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
index d0d9240b8dd41e3020200bedb94cc76e7b597be3..b38d7e741d32b655dcc17f75deac704776859531 100644 (file)
--- a/PVE/VZDump/QemuServer.pm
+++ b/PVE/VZDump/QemuServer.pm
@@ -489,6 +489,41 @@ my sub add_backup_performance_options {
     }
 }
 
+sub get_and_check_pbs_encryption_config {
+    my ($self) = @_;
+
+    my $opts = $self->{vzdump}->{opts};
+    my $scfg = $opts->{scfg};
+
+    my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
+    my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+
+    if (-e $keyfile) {
+       if (-e $master_keyfile) {
+           $self->loginfo("enabling encryption with master key feature");
+           return ($keyfile, $master_keyfile);
+       } elsif ($scfg->{'master-pubkey'}) {
+           die "master public key configured but no key file found\n";
+       } else {
+           $self->loginfo("enabling encryption");
+           return ($keyfile, undef);
+       }
+    } else {
+       my $encryption_fp = $scfg->{'encryption-key'};
+       die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
+           if $encryption_fp;
+       if (-e $master_keyfile) {
+           $self->log(
+               'warn',
+               "backup target storage is configured with master-key, but no encryption key set!"
+               ." Ignoring master key settings and creating unencrypted backup."
+           );
+       }
+       return (undef, undef);
+    }
+    die "internal error - unhandled case for getting & checking PBS encryption ($keyfile, $master_keyfile)!";
+}
+
 sub archive_pbs {
     my ($self, $task, $vmid) = @_;
 
@@ -503,8 +538,7 @@ sub archive_pbs {
     my $fingerprint = $scfg->{fingerprint};
     my $repo = PVE::PBSClient::get_repository($scfg);
     my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage});
-    my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
-    my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+    my ($keyfile, $master_keyfile) = $self->get_and_check_pbs_encryption_config();
 
     my $diskcount = scalar(@{$task->{disks}});
     # proxmox-backup-client can only handle raw files and block devs, so only use it (directly) for
@@ -525,28 +559,9 @@ sub archive_pbs {
        if (defined(my $ns = $scfg->{namespace})) {
            push @$cmd, '--ns', $ns;
        }
-       if (-e $keyfile) {
+       if (defined($keyfile)) {
            push @$cmd, '--keyfile', $keyfile;
-           if (-e $master_keyfile) {
-               $self->loginfo("enabling encryption with master key feature");
-               push @$cmd, '--master-pubkey-file', $master_keyfile;
-           } elsif ($scfg->{'master-pubkey'}) {
-               die "master public key configured but no key file found\n";
-           } else {
-               $self->loginfo("enabling client-side encryption");
-           }
-       } else {
-           my $encryption_fp = $scfg->{'encryption-key'};
-           die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
-               if $encryption_fp;
-
-           if (-e $master_keyfile) {
-               $self->log(
-                   'warn',
-                   "backup target storage is configured with master-key, but no encryption key set!"
-                   ." Ignoring master key settings and creating unencrypted backup."
-               );
-           }
+           push @$cmd, '--master-pubkey-file', $master_keyfile if defined($master_keyfile);
        }
 
        push @$cmd, "qemu-server.conf:$conffile";
@@ -586,7 +601,7 @@ sub archive_pbs {
 
        # pve-qemu supports it since 5.2.0-1 (PVE 6.4), so safe to die since PVE 8
        die "master key configured but running QEMU version does not support master keys\n"
-           if !defined($qemu_support->{'pbs-masterkey'}) && -e $master_keyfile;
+           if !defined($qemu_support->{'pbs-masterkey'}) && defined($master_keyfile);
 
        $attach_tpmstate_drive->($self, $task, $vmid);
 
@@ -610,29 +625,11 @@ sub archive_pbs {
 
        $params->{fingerprint} = $fingerprint if defined($fingerprint);
        $params->{'firewall-file'} = $firewall if -e $firewall;
-       if (-e $keyfile) {
+
+       $params->{encrypt} = defined($keyfile) ? JSON::true : JSON::false;
+       if (defined($keyfile)) {
            $params->{keyfile} = $keyfile;
-           $params->{encrypt} = JSON::true;
-           if (-e $master_keyfile) {
-               $self->loginfo("enabling encryption with master key feature");
-               $params->{"master-keyfile"} = $master_keyfile;
-           } elsif ($scfg->{'master-pubkey'}) {
-               die "master public key configured but no key file found\n";
-           } else {
-               $self->loginfo("enabling encryption");
-           }
-       } else {
-           my $encryption_fp = $scfg->{'encryption-key'};
-           die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
-               if $encryption_fp;
-           if (-e $master_keyfile) {
-               $self->log(
-                   'warn',
-                   "backup target storage is configured with master-key, but no encryption key set!"
-                   ." Ignoring master key settings and creating unencrypted backup."
-               );
-           }
-           $params->{encrypt} = JSON::false;
+           $params->{"master-keyfile"} = $master_keyfile if defined($master_keyfile);
        }
 
        my $is_template = PVE::QemuConfig->is_template($self->{vmlist}->{$vmid});
Virtual Machine Manager