use proxmox_backup::backup::{
archive_type,
decrypt_key,
+ rsa_encrypt_key_config,
verify_chunk_size,
ArchiveType,
AsyncReadChunk,
CryptConfig,
CryptMode,
DynamicIndexReader,
+ ENCRYPTED_KEY_BLOB_NAME,
FixedChunkStream,
FixedIndexReader,
+ KeyConfig,
IndexFile,
MANIFEST_BLOB_NAME,
Shell,
(None, None) => None,
(Some(_), Some(_)) => bail!("--keyfile and --keyfd are mutually exclusive"),
(Some(keyfile), None) => {
- println!("Using encryption key file: {}", keyfile);
+ eprintln!("Using encryption key file: {}", keyfile);
Some(file_get_contents(keyfile)?)
},
(None, Some(fd)) => {
.map_err(|err| {
format_err!("error reading encryption key from fd {}: {}", fd, err)
})?;
- println!("Using encryption key from file descriptor");
+ eprintln!("Using encryption key from file descriptor");
Some(data)
}
};
// no parameters:
(None, None) => match key::read_optional_default_encryption_key()? {
Some(key) => {
- println!("Encrypting with default encryption key!");
+ eprintln!("Encrypting with default encryption key!");
(Some(key), CryptMode::Encrypt)
},
None => (None, CryptMode::None),
(None, Some(crypt_mode)) => match key::read_optional_default_encryption_key()? {
None => bail!("--crypt-mode without --keyfile and no default key file available"),
Some(key) => {
- println!("Encrypting with default encryption key!");
+ eprintln!("Encrypting with default encryption key!");
(Some(key), crypt_mode)
},
}
let (key, created, fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?;
println!("Encryption key fingerprint: {}", fingerprint);
- let crypt_config = CryptConfig::new(key)?;
+ let crypt_config = CryptConfig::new(key.clone())?;
match key::find_master_pubkey()? {
Some(ref path) if path.exists() => {
let pem_data = file_get_contents(path)?;
let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?;
- let enc_key = crypt_config.generate_rsa_encoded_key(rsa, created)?;
+ let key_config = KeyConfig {
+ kdf: None,
+ created,
+ modified: proxmox::tools::time::epoch_i64(),
+ data: key.to_vec(),
+ fingerprint: Some(fingerprint),
+ };
+ let enc_key = rsa_encrypt_key_config(rsa, &key_config)?;
println!("Master key '{:?}'", path);
(Some(Arc::new(crypt_config)), Some(enc_key))
}
if let Some(rsa_encrypted_key) = rsa_encrypted_key {
- let target = "rsa-encrypted.key.blob";
+ let target = ENCRYPTED_KEY_BLOB_NAME;
println!("Upload RSA encoded key to '{:?}' as {}", repo, target);
let stats = client
.upload_blob_from_data(rsa_encrypted_key, target, false, false)
.await?;
manifest.add_file(target.to_string(), stats.size, stats.csum, crypt_mode)?;
- // openssl rsautl -decrypt -inkey master-private.pem -in rsa-encrypted.key -out t
- /*
- let mut buffer2 = vec![0u8; rsa.size() as usize];
- let pem_data = file_get_contents("master-private.pem")?;
- let rsa = openssl::rsa::Rsa::private_key_from_pem(&pem_data)?;
- let len = rsa.private_decrypt(&buffer, &mut buffer2, openssl::rsa::Padding::PKCS1)?;
- println!("TEST {} {:?}", len, buffer2);
- */
}
// create manifest (index.json)
// manifests are never encrypted, but include a signature
None => None,
Some(key) => {
let (key, _, fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?;
- println!("Encryption key fingerprint: '{}'", fingerprint);
+ eprintln!("Encryption key fingerprint: '{}'", fingerprint);
Some(Arc::new(CryptConfig::new(key)?))
}
};
true,
).await?;
+ let (archive_name, archive_type) = parse_archive_type(archive_name);
+
let (manifest, backup_index_data) = client.download_manifest().await?;
- manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
- let (archive_name, archive_type) = parse_archive_type(archive_name);
+ if archive_name == ENCRYPTED_KEY_BLOB_NAME && crypt_config.is_none() {
+ eprintln!("Restoring encrypted key blob without original key - skipping manifest fingerprint check!")
+ } else {
+ manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
+ }
if archive_name == MANIFEST_BLOB_NAME {
if let Some(target) = target {