2021-01-19 11:35:15 +00:00
|
|
|
use std::collections::HashMap;
|
2021-01-18 06:16:06 +00:00
|
|
|
|
|
|
|
use anyhow::{bail, Error};
|
|
|
|
use serde::{Deserialize, Serialize};
|
|
|
|
|
|
|
|
use proxmox::tools::fs::{
|
|
|
|
file_read_optional_string,
|
|
|
|
replace_file,
|
2021-01-19 05:19:18 +00:00
|
|
|
open_file_locked,
|
2021-01-18 06:16:06 +00:00
|
|
|
CreateOptions,
|
|
|
|
};
|
|
|
|
|
|
|
|
use crate::{
|
|
|
|
backup::{
|
|
|
|
Fingerprint,
|
2021-01-19 05:19:18 +00:00
|
|
|
KeyConfig,
|
2021-01-18 06:16:06 +00:00
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
mod hex_key {
|
|
|
|
use serde::{self, Deserialize, Serializer, Deserializer};
|
|
|
|
|
|
|
|
pub fn serialize<S>(
|
|
|
|
csum: &[u8; 32],
|
|
|
|
serializer: S,
|
|
|
|
) -> Result<S::Ok, S::Error>
|
|
|
|
where
|
|
|
|
S: Serializer,
|
|
|
|
{
|
|
|
|
let s = proxmox::tools::digest_to_hex(csum);
|
|
|
|
serializer.serialize_str(&s)
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn deserialize<'de, D>(
|
|
|
|
deserializer: D,
|
|
|
|
) -> Result<[u8; 32], D::Error>
|
|
|
|
where
|
|
|
|
D: Deserializer<'de>,
|
|
|
|
{
|
|
|
|
let s = String::deserialize(deserializer)?;
|
|
|
|
proxmox::tools::hex_to_digest(&s).map_err(serde::de::Error::custom)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-21 06:23:51 +00:00
|
|
|
/// Store Hardware Encryption keys (plain, unprotected keys)
|
2021-01-18 06:16:06 +00:00
|
|
|
#[derive(Deserialize, Serialize)]
|
|
|
|
pub struct EncryptionKeyInfo {
|
2021-01-19 05:19:18 +00:00
|
|
|
pub fingerprint: Fingerprint,
|
2021-01-18 06:16:06 +00:00
|
|
|
#[serde(with = "hex_key")]
|
|
|
|
pub key: [u8; 32],
|
2021-01-19 05:19:18 +00:00
|
|
|
}
|
|
|
|
|
2021-01-18 06:16:06 +00:00
|
|
|
impl EncryptionKeyInfo {
|
2021-01-19 05:19:18 +00:00
|
|
|
pub fn new(key: [u8; 32], fingerprint: Fingerprint) -> Self {
|
|
|
|
Self { fingerprint, key }
|
|
|
|
}
|
|
|
|
}
|
2021-01-18 06:16:06 +00:00
|
|
|
|
|
|
|
pub const TAPE_KEYS_FILENAME: &str = "/etc/proxmox-backup/tape-encryption-keys.json";
|
2021-01-19 05:19:18 +00:00
|
|
|
pub const TAPE_KEY_CONFIG_FILENAME: &str = "/etc/proxmox-backup/tape-encryption-key-config.json";
|
2021-01-18 06:16:06 +00:00
|
|
|
pub const TAPE_KEYS_LOCKFILE: &str = "/etc/proxmox-backup/.tape-encryption-keys.lck";
|
|
|
|
|
2021-01-21 06:23:51 +00:00
|
|
|
/// Load tape encryption keys (plain, unprotected keys)
|
2021-01-18 06:16:06 +00:00
|
|
|
pub fn load_keys() -> Result<(HashMap<Fingerprint, EncryptionKeyInfo>, [u8;32]), Error> {
|
|
|
|
|
|
|
|
let content = file_read_optional_string(TAPE_KEYS_FILENAME)?;
|
|
|
|
let content = content.unwrap_or_else(|| String::from("[]"));
|
|
|
|
|
|
|
|
let digest = openssl::sha::sha256(content.as_bytes());
|
|
|
|
|
2021-01-19 05:19:18 +00:00
|
|
|
let key_list: Vec<EncryptionKeyInfo> = serde_json::from_str(&content)?;
|
2021-01-18 06:16:06 +00:00
|
|
|
|
|
|
|
let mut map = HashMap::new();
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
for item in key_list {
|
2021-01-21 10:56:54 +00:00
|
|
|
let key_config = KeyConfig::without_password(item.key)?; // to compute fingerprint
|
|
|
|
let expected_fingerprint = key_config.fingerprint.unwrap();
|
2021-01-18 06:16:06 +00:00
|
|
|
if item.fingerprint != expected_fingerprint {
|
|
|
|
bail!(
|
|
|
|
"inconsistent fingerprint ({} != {})",
|
|
|
|
item.fingerprint,
|
|
|
|
expected_fingerprint,
|
|
|
|
);
|
|
|
|
}
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
if map.insert(item.fingerprint.clone(), item).is_some() {
|
|
|
|
bail!("found duplicate fingerprint");
|
|
|
|
}
|
2021-01-18 06:16:06 +00:00
|
|
|
}
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
Ok((map, digest))
|
|
|
|
}
|
|
|
|
|
2021-01-21 06:23:51 +00:00
|
|
|
/// Load tape encryption key configurations (password protected keys)
|
2021-01-19 11:35:15 +00:00
|
|
|
pub fn load_key_configs() -> Result<(HashMap<Fingerprint, KeyConfig>, [u8;32]), Error> {
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
let content = file_read_optional_string(TAPE_KEY_CONFIG_FILENAME)?;
|
|
|
|
let content = content.unwrap_or_else(|| String::from("[]"));
|
|
|
|
|
|
|
|
let digest = openssl::sha::sha256(content.as_bytes());
|
|
|
|
|
2021-01-19 11:35:15 +00:00
|
|
|
let key_list: Vec<KeyConfig> = serde_json::from_str(&content)?;
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
let mut map = HashMap::new();
|
|
|
|
|
2021-01-19 11:35:15 +00:00
|
|
|
for key_config in key_list {
|
|
|
|
match key_config.fingerprint {
|
2021-01-19 05:19:18 +00:00
|
|
|
Some(ref fingerprint) => {
|
2021-01-19 11:35:15 +00:00
|
|
|
if map.insert(fingerprint.clone(), key_config).is_some() {
|
2021-01-19 05:19:18 +00:00
|
|
|
bail!("found duplicate fingerprint");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
None => bail!("missing fingerprint"),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-18 06:16:06 +00:00
|
|
|
Ok((map, digest))
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn save_keys(map: HashMap<Fingerprint, EncryptionKeyInfo>) -> Result<(), Error> {
|
|
|
|
|
|
|
|
let mut list = Vec::new();
|
|
|
|
|
|
|
|
for (_fp, item) in map {
|
|
|
|
list.push(item);
|
|
|
|
}
|
|
|
|
|
|
|
|
let raw = serde_json::to_string_pretty(&list)?;
|
2021-01-19 05:19:18 +00:00
|
|
|
|
2021-01-18 06:16:06 +00:00
|
|
|
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
|
|
|
|
// set the correct owner/group/permissions while saving file
|
|
|
|
// owner(rw) = root, group(r)= root
|
|
|
|
let options = CreateOptions::new()
|
|
|
|
.perm(mode)
|
|
|
|
.owner(nix::unistd::ROOT)
|
|
|
|
.group(nix::unistd::Gid::from_raw(0));
|
|
|
|
|
|
|
|
replace_file(TAPE_KEYS_FILENAME, raw.as_bytes(), options)?;
|
2021-01-19 05:19:18 +00:00
|
|
|
|
2021-01-18 06:16:06 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2021-01-19 11:35:15 +00:00
|
|
|
pub fn save_key_configs(map: HashMap<Fingerprint, KeyConfig>) -> Result<(), Error> {
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
let mut list = Vec::new();
|
|
|
|
|
|
|
|
for (_fp, item) in map {
|
|
|
|
list.push(item);
|
|
|
|
}
|
|
|
|
|
|
|
|
let raw = serde_json::to_string_pretty(&list)?;
|
|
|
|
|
|
|
|
let backup_user = crate::backup::backup_user()?;
|
2021-01-21 06:27:43 +00:00
|
|
|
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0640);
|
2021-01-19 05:19:18 +00:00
|
|
|
// set the correct owner/group/permissions while saving file
|
|
|
|
// owner(rw) = root, group(r)= backup
|
|
|
|
let options = CreateOptions::new()
|
|
|
|
.perm(mode)
|
|
|
|
.owner(nix::unistd::ROOT)
|
|
|
|
.group(backup_user.gid);
|
|
|
|
|
|
|
|
replace_file(TAPE_KEY_CONFIG_FILENAME, raw.as_bytes(), options)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2021-01-21 06:46:21 +00:00
|
|
|
pub fn insert_key(key: [u8;32], key_config: KeyConfig, force: bool) -> Result<(), Error> {
|
2021-01-19 05:19:18 +00:00
|
|
|
|
|
|
|
let _lock = open_file_locked(
|
|
|
|
TAPE_KEYS_LOCKFILE,
|
|
|
|
std::time::Duration::new(10, 0),
|
|
|
|
true,
|
|
|
|
)?;
|
|
|
|
|
|
|
|
let (mut key_map, _) = load_keys()?;
|
|
|
|
let (mut config_map, _) = load_key_configs()?;
|
|
|
|
|
|
|
|
let fingerprint = match key_config.fingerprint.clone() {
|
|
|
|
Some(fingerprint) => fingerprint,
|
|
|
|
None => bail!("missing encryption key fingerprint - internal error"),
|
|
|
|
};
|
|
|
|
|
2021-01-21 06:46:21 +00:00
|
|
|
if !force {
|
2021-01-21 09:56:52 +00:00
|
|
|
if config_map.get(&fingerprint).is_some() {
|
2021-01-21 06:46:21 +00:00
|
|
|
bail!("encryption key '{}' already exists.", fingerprint);
|
|
|
|
}
|
2021-01-19 05:19:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
let item = EncryptionKeyInfo::new(key, fingerprint.clone());
|
|
|
|
key_map.insert(fingerprint.clone(), item);
|
|
|
|
save_keys(key_map)?;
|
|
|
|
|
2021-01-19 11:35:15 +00:00
|
|
|
config_map.insert(fingerprint.clone(), key_config);
|
2021-01-19 05:19:18 +00:00
|
|
|
save_key_configs(config_map)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2021-01-18 06:16:06 +00:00
|
|
|
// shell completion helper
|
|
|
|
pub fn complete_key_fingerprint(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
|
2021-01-19 05:19:18 +00:00
|
|
|
let data = match load_key_configs() {
|
2021-01-18 06:16:06 +00:00
|
|
|
Ok((data, _digest)) => data,
|
|
|
|
Err(_) => return Vec::new(),
|
|
|
|
};
|
|
|
|
|
|
|
|
data.keys().map(|fp| crate::tools::format::as_fingerprint(fp.bytes())).collect()
|
|
|
|
}
|