}
}
+sub get_and_check_pbs_encryption_config {
+ my ($self) = @_;
+
+ my $opts = $self->{vzdump}->{opts};
+ my $scfg = $opts->{scfg};
+
+ my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
+ my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+
+ if (-e $keyfile) {
+ if (-e $master_keyfile) {
+ $self->loginfo("enabling encryption with master key feature");
+ return ($keyfile, $master_keyfile);
+ } elsif ($scfg->{'master-pubkey'}) {
+ die "master public key configured but no key file found\n";
+ } else {
+ $self->loginfo("enabling encryption");
+ return ($keyfile, undef);
+ }
+ } else {
+ my $encryption_fp = $scfg->{'encryption-key'};
+ die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
+ if $encryption_fp;
+ if (-e $master_keyfile) {
+ $self->log(
+ 'warn',
+ "backup target storage is configured with master-key, but no encryption key set!"
+ ." Ignoring master key settings and creating unencrypted backup."
+ );
+ }
+ return (undef, undef);
+ }
+ die "internal error - unhandled case for getting & checking PBS encryption ($keyfile, $master_keyfile)!";
+}
+
sub archive_pbs {
my ($self, $task, $vmid) = @_;
my $fingerprint = $scfg->{fingerprint};
my $repo = PVE::PBSClient::get_repository($scfg);
my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage});
- my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
- my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+ my ($keyfile, $master_keyfile) = $self->get_and_check_pbs_encryption_config();
my $diskcount = scalar(@{$task->{disks}});
- # proxmox-backup-client can only handle raw files and block devs
- # only use it (directly) for disk-less VMs
+ # proxmox-backup-client can only handle raw files and block devs, so only use it (directly) for
+ # disk-less VMs
if (!$diskcount) {
$self->loginfo("backup contains no disks");
if (defined(my $ns = $scfg->{namespace})) {
push @$cmd, '--ns', $ns;
}
- if (-e $keyfile) {
- $self->loginfo("enabling encryption");
+ if (defined($keyfile)) {
push @$cmd, '--keyfile', $keyfile;
- if (defined($master_keyfile)) {
- if (-e $master_keyfile) {
- $self->loginfo("enabling master key feature");
- push @$cmd, '--master-pubkey-file', $master_keyfile;
- } elsif ($scfg->{'master-pubkey'}) {
- die "master public key configured but no key file found\n";
- }
- }
- } else {
- my $encryption_fp = $scfg->{'encryption-key'};
- die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
- if $encryption_fp;
- $self->loginfo("WARNING: backup target is configured with master key, but this backup is not encrypted - master key settings will be ignored!")
- if defined($master_keyfile) && -e $master_keyfile;
+ push @$cmd, '--master-pubkey-file', $master_keyfile if defined($master_keyfile);
}
push @$cmd, "qemu-server.conf:$conffile";
}
}
- if (!defined($qemu_support->{"pbs-masterkey"}) && -e $master_keyfile) {
- $self->loginfo("WARNING: backup target is configured with master key, but running QEMU version does not support master keys.");
- $self->loginfo("Please make sure you've installed the latest version and the VM has been restarted to use master key feature.");
- $master_keyfile = undef; # skip rest of master key handling below
- }
+ # pve-qemu supports it since 5.2.0-1 (PVE 6.4), so safe to die since PVE 8
+ die "master key configured but running QEMU version does not support master keys\n"
+ if !defined($qemu_support->{'pbs-masterkey'}) && defined($master_keyfile);
$attach_tpmstate_drive->($self, $task, $vmid);
$params->{fingerprint} = $fingerprint if defined($fingerprint);
$params->{'firewall-file'} = $firewall if -e $firewall;
- if (-e $keyfile) {
- $self->loginfo("enabling encryption");
+
+ $params->{encrypt} = defined($keyfile) ? JSON::true : JSON::false;
+ if (defined($keyfile)) {
$params->{keyfile} = $keyfile;
- $params->{encrypt} = JSON::true;
- if (defined($master_keyfile)) {
- if (-e $master_keyfile) {
- $self->loginfo("enabling master key feature");
- $params->{"master-keyfile"} = $master_keyfile;
- } elsif ($scfg->{'master-pubkey'}) {
- die "master public key configured but no key file found\n";
- }
- }
- } else {
- my $encryption_fp = $scfg->{'encryption-key'};
- die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
- if $encryption_fp;
- $self->loginfo("WARNING: backup target is configured with master key, but this backup is not encrypted - master key settings will be ignored!")
- if defined($master_keyfile) && -e $master_keyfile;
- $params->{encrypt} = JSON::false;
+ $params->{"master-keyfile"} = $master_keyfile if defined($master_keyfile);
}
my $is_template = PVE::QemuConfig->is_template($self->{vmlist}->{$vmid});
projects / qemu-server.git / blobdiff