From 15998ed12a692cafbb6b0813c0815715d3526269 Mon Sep 17 00:00:00 2001 From: Stefan Reiter Date: Thu, 22 Apr 2021 17:34:47 +0200 Subject: [PATCH] file-restore: support encrypted VM backups Signed-off-by: Stefan Reiter --- src/bin/proxmox-file-restore.rs | 22 +++++++++++++++++--- src/bin/proxmox_file_restore/block_driver.rs | 1 + src/bin/proxmox_file_restore/qemu_helper.rs | 9 ++++++-- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/src/bin/proxmox-file-restore.rs b/src/bin/proxmox-file-restore.rs index 2726eeb7..3d750152 100644 --- a/src/bin/proxmox-file-restore.rs +++ b/src/bin/proxmox-file-restore.rs @@ -30,7 +30,7 @@ pub mod proxmox_client_tools; use proxmox_client_tools::{ complete_group_or_snapshot, complete_repository, connect, extract_repository_from_value, key_source::{ - crypto_parameters, format_key_source, get_encryption_key_password, KEYFD_SCHEMA, + crypto_parameters_keep_fd, format_key_source, get_encryption_key_password, KEYFD_SCHEMA, KEYFILE_SCHEMA, }, REPO_URL_SCHEMA, @@ -76,6 +76,18 @@ fn parse_path(path: String, base64: bool) -> Result { } } +fn keyfile_path(param: &Value) -> Option { + if let Some(Value::String(keyfile)) = param.get("keyfile") { + return Some(keyfile.to_owned()); + } + + if let Some(Value::Number(keyfd)) = param.get("keyfd") { + return Some(format!("/dev/fd/{}", keyfd)); + } + + None +} + #[api( input: { properties: { @@ -138,7 +150,8 @@ async fn list( let snapshot: BackupDir = snapshot.parse()?; let path = parse_path(path, base64)?; - let crypto = crypto_parameters(¶m)?; + let keyfile = keyfile_path(¶m); + let crypto = crypto_parameters_keep_fd(¶m)?; let crypt_config = match crypto.enc_key { None => None, Some(ref key) => { @@ -210,6 +223,7 @@ async fn list( manifest, repo, snapshot, + keyfile, }; let driver: Option = match param.get("driver") { Some(drv) => Some(serde_json::from_value(drv.clone())?), @@ -309,7 +323,8 @@ async fn extract( None => Some(std::env::current_dir()?), }; - let crypto = crypto_parameters(¶m)?; + let keyfile = keyfile_path(¶m); + let crypto = crypto_parameters_keep_fd(¶m)?; let crypt_config = match crypto.enc_key { None => None, Some(ref key) => { @@ -360,6 +375,7 @@ async fn extract( manifest, repo, snapshot, + keyfile, }; let driver: Option = match param.get("driver") { Some(drv) => Some(serde_json::from_value(drv.clone())?), diff --git a/src/bin/proxmox_file_restore/block_driver.rs b/src/bin/proxmox_file_restore/block_driver.rs index 924503a7..ba9794e3 100644 --- a/src/bin/proxmox_file_restore/block_driver.rs +++ b/src/bin/proxmox_file_restore/block_driver.rs @@ -21,6 +21,7 @@ pub struct SnapRestoreDetails { pub repo: BackupRepository, pub snapshot: BackupDir, pub manifest: BackupManifest, + pub keyfile: Option, } /// Return value of a BlockRestoreDriver.status() call, 'id' must be valid for .stop(id) diff --git a/src/bin/proxmox_file_restore/qemu_helper.rs b/src/bin/proxmox_file_restore/qemu_helper.rs index 7fd2f1f8..0f3a7feb 100644 --- a/src/bin/proxmox_file_restore/qemu_helper.rs +++ b/src/bin/proxmox_file_restore/qemu_helper.rs @@ -190,9 +190,14 @@ pub async fn start_vm( continue; } drives.push("-drive".to_owned()); + let keyfile = if let Some(ref keyfile) = details.keyfile { + format!(",,keyfile={}", keyfile) + } else { + "".to_owned() + }; drives.push(format!( - "file=pbs:repository={},,snapshot={},,archive={},read-only=on,if=none,id=drive{}", - details.repo, details.snapshot, file, id + "file=pbs:repository={},,snapshot={},,archive={}{},read-only=on,if=none,id=drive{}", + details.repo, details.snapshot, file, keyfile, id )); drives.push("-device".to_owned()); // drive serial is used by VM to map .fidx files to /dev paths