libc.workspace = true
log.workspace = true
nix.workspace = true
+openssl.workspace = true
regex.workspace = true
serde.workspace = true
serde_json.workspace = true
pub use encryption::{drive_set_encryption, has_encryption};
mod volume_statistics;
+use proxmox_uuid::Uuid;
pub use volume_statistics::*;
mod tape_alert_flags;
read_volume_statistics(&mut self.file)
}
- pub fn set_encryption(&mut self, key: Option<[u8; 32]>) -> Result<(), Error> {
+ pub fn set_encryption(&mut self, key_data: Option<([u8; 32], Uuid)>) -> Result<(), Error> {
+ let key = if let Some((ref key, ref uuid)) = key_data {
+ // derive specialized key for each media-set
+
+ let mut tape_key = [0u8; 32];
+
+ let uuid_bytes: [u8; 16] = *uuid.as_bytes();
+
+ openssl::pkcs5::pbkdf2_hmac(
+ key,
+ &uuid_bytes,
+ 10,
+ openssl::hash::MessageDigest::sha256(),
+ &mut tape_key,
+ )?;
+
+ Some(tape_key)
+ } else {
+ None
+ };
self.encryption_key_loaded = key.is_some();
drive_set_encryption(&mut self.file, key)
key_fingerprint: Option<(Fingerprint, Uuid)>,
) -> Result<(), Error> {
if nix::unistd::Uid::effective().is_root() {
- if let Some((ref key_fingerprint, ref uuid)) = key_fingerprint {
- let (key_map, _digest) = crate::tape::encryption_keys::load_keys()?;
- match key_map.get(key_fingerprint) {
- Some(item) => {
- // derive specialized key for each media-set
-
- let mut tape_key = [0u8; 32];
-
- let uuid_bytes: [u8; 16] = *uuid.as_bytes();
-
- openssl::pkcs5::pbkdf2_hmac(
- &item.key,
- &uuid_bytes,
- 10,
- openssl::hash::MessageDigest::sha256(),
- &mut tape_key,
- )?;
-
- return self.sg_tape.set_encryption(Some(tape_key));
- }
- None => bail!("unknown tape encryption key '{}'", key_fingerprint),
- }
+ let key_data = if let Some((ref key_fingerprint, ref uuid)) = key_fingerprint {
+ let key = crate::tape::encryption_keys::load_key(key_fingerprint)?;
+ Some((key, uuid.clone()))
} else {
- return self.sg_tape.set_encryption(None);
- }
+ None
+ };
+ return self.sg_tape.set_encryption(key_data);
}
let output = if let Some((fingerprint, uuid)) = key_fingerprint {
use std::collections::HashMap;
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize};
use proxmox_sys::fs::file_read_optional_string;
Ok((map, digest))
}
+pub fn load_key(fingerprint: &Fingerprint) -> Result<[u8; 32], Error> {
+ let (key_map, _digest) = crate::tape::encryption_keys::load_keys()?;
+ key_map
+ .get(fingerprint)
+ .map(|data| data.key)
+ .ok_or_else(|| format_err!("unknown tape encryption key '{fingerprint}'"))
+}
+
/// Load tape encryption key configurations (password protected keys)
pub fn load_key_configs() -> Result<(HashMap<Fingerprint, KeyConfig>, [u8; 32]), Error> {
let content = file_read_optional_string(TAPE_KEY_CONFIG_FILENAME)?;