tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
b676dbce78
proxmox-backup/src/bin/proxmox_tape/encryption_key.rs

349 lines
10 KiB
Rust
Raw Normal View History

fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
use anyhow::{bail, format_err, Error};
tape: add hardware encryption key managenent api
2021-01-18 06:16:06 +00:00
use serde_json::Value;
update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-10-08 09:19:37 +00:00
use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
use proxmox_schema::{api, param_bail};
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
2021-11-23 16:57:00 +00:00
use proxmox_sys::linux::tty;
tape: add hardware encryption key managenent api
2021-01-18 06:16:06 +00:00
move tape_encryption_keys.rs to pbs_config workspace
2021-09-07 08:37:08 +00:00
use pbs_api_types::{
Fingerprint, Kdf, DRIVE_NAME_SCHEMA, TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
PASSWORD_HINT_SCHEMA,
};
move remaining client tools to pbs-tools/datastore pbs-datastore now ended up depending on tokio after all, but that's fine for now for the fuse code I added pbs-fuse-loop (has the old fuse_loop and its 'loopdev' module) ultimately only binaries should depend on this to avoid the library link the only thins remaining to move out the client binary are the api method return types, those will need to be moved to pbs-api-types... Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-07-21 12:12:22 +00:00
use pbs_datastore::paperkey::{PaperkeyFormat, generate_paper_key};
move tape_encryption_keys.rs to pbs_config workspace
2021-09-07 08:37:08 +00:00
use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint};
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
use pbs_config::key_config::KeyConfig;
add pbs-api-types subcrate, move key_derivation move key_derivation to pbs-datastore pbs-api-types should only contain "basic" types which * are usually required by clients * don't depend on pbs-related code directly Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-07-07 07:04:09 +00:00
move tape_encryption_keys.rs to pbs_config workspace
2021-09-07 08:37:08 +00:00
use proxmox_backup::api2;
tape: add hardware encryption key managenent api
2021-01-18 06:16:06 +00:00
pub fn encryption_key_commands() -> CommandLineInterface {
let cmd_def = CliCommandMap::new()
.insert("list", CliCommand::new(&API_METHOD_LIST_KEYS))
.insert(
"create",
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
CliCommand::new(&API_METHOD_CREATE_KEY)
)
tape: implement change-passphrase for tape encryption keys
2021-01-20 07:25:42 +00:00
.insert(
"change-passphrase",
CliCommand::new(&API_METHOD_CHANGE_PASSPHRASE)
.arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint)
)
tape: implemenmt show key Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 09:20:41 +00:00
.insert(
"show",
CliCommand::new(&API_METHOD_SHOW_KEY)
.arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint)
)
tape: implement paperkey command for tape encryption keys
2021-01-22 08:56:14 +00:00
.insert(
"paperkey",
CliCommand::new(&API_METHOD_PAPER_KEY)
.arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint)
)
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
.insert(
"restore",
CliCommand::new(&API_METHOD_RESTORE_KEY)
tape: add hardware encryption key managenent api
2021-01-18 06:16:06 +00:00
)
.insert(
"remove",
CliCommand::new(&api2::config::tape_encryption_keys::API_METHOD_DELETE_KEY)
.arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint)
)
;
cmd_def.into()
}
tape: implement paperkey command for tape encryption keys
2021-01-22 08:56:14 +00:00
#[api(
input: {
properties: {
fingerprint: {
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
},
subject: {
typo fixes all over the place found and semi-manually replaced by using: codespell -L mut -L crate -i 3 -w Mostly in comments, but also email notification and two occurrences of misspelled 'reserved' struct member, which where not used and cargo build did not complain about the change, soo ... Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-10 15:37:09 +00:00
description: "Include the specified subject as title text.",
tape: implement paperkey command for tape encryption keys
2021-01-22 08:56:14 +00:00
optional: true,
},
"output-format": {
type: PaperkeyFormat,
optional: true,
},
},
},
)]
/// Generate a printable, human readable text file containing the encryption key.
///
/// This also includes a scanable QR code for fast key restore.
fn paper_key(
fingerprint: Fingerprint,
subject: Option<String>,
output_format: Option<PaperkeyFormat>,
) -> Result<(), Error> {
let (config_map, _digest) = load_key_configs()?;
let key_config = match config_map.get(&fingerprint) {
Some(key_config) => key_config,
None => bail!("tape encryption key '{}' does not exist.", fingerprint),
};
let data: String = serde_json::to_string_pretty(&key_config)?;
generate_paper_key(std::io::stdout(), &data, subject, output_format)
}
tape: implemenmt show key Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 09:20:41 +00:00
#[api(
input: {
properties: {
fingerprint: {
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
},
"output-format": {
schema: OUTPUT_FORMAT,
optional: true,
},
},
},
)]
typo fixes all over the place found and semi-manually replaced by using: codespell -L mut -L crate -i 3 -w Mostly in comments, but also email notification and two occurrences of misspelled 'reserved' struct member, which where not used and cargo build did not complain about the change, soo ... Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-03-10 15:37:09 +00:00
/// Print the encryption key's metadata.
tape: implemenmt show key Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 09:20:41 +00:00
fn show_key(
param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let output_format = get_output_format(&param);
let info = &api2::config::tape_encryption_keys::API_METHOD_READ_KEY;
let mut data = match info.handler {
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
_ => unreachable!(),
};
update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-10-08 09:19:37 +00:00
let options = proxmox_router::cli::default_table_format_options()
tape: implemenmt show key Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 09:20:41 +00:00
.column(ColumnConfig::new("kdf"))
add pbs-tools subcrate Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-07-06 11:26:35 +00:00
.column(ColumnConfig::new("created").renderer(pbs_tools::format::render_epoch))
.column(ColumnConfig::new("modified").renderer(pbs_tools::format::render_epoch))
tape: implemenmt show key Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 09:20:41 +00:00
.column(ColumnConfig::new("fingerprint"))
.column(ColumnConfig::new("hint"));
format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
Ok(())
}
tape: implement change-passphrase for tape encryption keys
2021-01-20 07:25:42 +00:00
#[api(
input: {
properties: {
kdf: {
type: Kdf,
optional: true,
},
fingerprint: {
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
},
hint: {
schema: PASSWORD_HINT_SCHEMA,
},
fix #3853: tape cli: add force flag to key change-passphrase Adds the '--force' flag to the proxmox-tape command allowing users with root privileges to overwrite the passphrase of a given key. Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2022-02-10 14:23:25 +00:00
force: {
optional: true,
type: bool,
description: "Reset the passphrase for a tape key, without asking for the old one.",
default: false,
},
tape: implement change-passphrase for tape encryption keys
2021-01-20 07:25:42 +00:00
},
},
)]
/// Change the encryption key's password.
fn change_passphrase(
fix #3853: tape cli: add force flag to key change-passphrase Adds the '--force' flag to the proxmox-tape command allowing users with root privileges to overwrite the passphrase of a given key. Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2022-02-10 14:23:25 +00:00
force: bool,
tape: implement change-passphrase for tape encryption keys
2021-01-20 07:25:42 +00:00
mut param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
if !tty::stdin_isatty() {
bail!("unable to change passphrase - no tty");
}
fix #3853: tape cli: add force flag to key change-passphrase Adds the '--force' flag to the proxmox-tape command allowing users with root privileges to overwrite the passphrase of a given key. Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2022-02-10 14:23:25 +00:00
if force {
param["force"] = serde_json::Value::Bool(true);
} else {
let password = tty::read_password("Current Tape Encryption Key Password: ")?;
param["password"] = String::from_utf8(password)?.into();
}
tape: implement change-passphrase for tape encryption keys
2021-01-20 07:25:42 +00:00
let new_password = tty::read_and_verify_password("New Tape Encryption Key Password: ")?;
param["new-password"] = String::from_utf8(new_password)?.into();
let info = &api2::config::tape_encryption_keys::API_METHOD_CHANGE_PASSPHRASE;
match info.handler {
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
_ => unreachable!(),
};
Ok(())
}
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
pub const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----";
pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----";
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
#[api(
input: {
properties: {
drive: {
schema: DRIVE_NAME_SCHEMA,
optional: true,
},
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
"backupkey": {
description: "Importing a previously exported backupkey with either an exported paperkey-file, json-string or a json-file",
type: String,
optional: true,
},
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
},
},
)]
/// Restore encryption key from tape (read password from stdin)
async fn restore_key(
mut param: Value,
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
backupkey: Option<String>,
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
move drive config to pbs_config workspace Also moved the tape type definitions to pbs_api_types.
2021-09-03 07:10:18 +00:00
let (config, _digest) = pbs_config::drive::config()?;
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
let drive = crate::extract_drive_name(&mut param, &config);
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
if !tty::stdin_isatty() {
bail!("no password input mechanism available");
}
fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank <m.frank@proxmox.com>
2022-03-24 11:49:30 +00:00
if (drive.is_err() && backupkey.is_none()) || (drive.is_ok() && backupkey.is_some()) {
param_bail!(
"drive",
format_err!("Please specify either a valid drive name or a backupkey")
);
}
if drive.is_ok() {
param["drive"] = drive.unwrap().into();
}
if let Some(backupkey) = backupkey {
if serde_json::from_str::<KeyConfig>(&backupkey).is_ok() {
// json as Parameter
println!("backupkey to import: {}", backupkey);
param["backupkey"] = backupkey.into();
} else {
println!("backupkey is not a valid json. Interpreting Parameter as a filename");
let data = proxmox_sys::fs::file_read_string(backupkey)?;
if serde_json::from_str::<KeyConfig>(&data).is_ok() {
// standalone json-file
println!("backupkey to import: {}", data);
param["backupkey"] = data.into();
} else {
// exported paperkey-file
let start = data
.find(BEGIN_MARKER)
.ok_or_else(|| format_err!("cannot find key start marker"))?
+ BEGIN_MARKER.len();
let data_remain = &data[start..];
let end = data_remain
.find(END_MARKER)
.ok_or_else(|| format_err!("cannot find key end marker below start marker"))?;
let backupkey_extract = &data_remain[..end];
println!("backupkey to import: {}", backupkey_extract);
param["backupkey"] = backupkey_extract.into();
}
}
}
let password = tty::read_password("Tape Encryption Key Password: ")?;
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
param["password"] = String::from_utf8(password)?.into();
let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;
match info.handler {
ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
_ => unreachable!(),
};
Ok(())
}
#[api(
input: {
properties: {
tape: add --kdf parameter to create key api
2021-01-20 06:49:35 +00:00
kdf: {
type: Kdf,
optional: true,
},
tape: generate random encryptions keys and store key_config on media
2021-01-19 05:19:18 +00:00
hint: {
description: "Password restore hint.",
type: String,
min_length: 1,
max_length: 32,
},
},
},
)]
/// Create key (read password from stdin)
fn create_key(
mut param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
if !tty::stdin_isatty() {
bail!("no password input mechanism available");
}
let password = tty::read_and_verify_password("Tape Encryption Key Password: ")?;
param["password"] = String::from_utf8(password)?.into();
let info = &api2::config::tape_encryption_keys::API_METHOD_CREATE_KEY;
let fingerprint = match info.handler {
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
_ => unreachable!(),
};
println!("{}", fingerprint);
Ok(())
}
tape: add hardware encryption key managenent api
2021-01-18 06:16:06 +00:00
#[api(
input: {
properties: {
"output-format": {
schema: OUTPUT_FORMAT,
optional: true,
},
},
},
)]
/// List keys
fn list_keys(
param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let output_format = get_output_format(&param);
let info = &api2::config::tape_encryption_keys::API_METHOD_LIST_KEYS;
let mut data = match info.handler {
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
_ => unreachable!(),
};
let options = default_table_format_options()
.column(ColumnConfig::new("fingerprint"))
.column(ColumnConfig::new("hint"))
;
format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
Ok(())
}
Reference in New Issue Copy Permalink