moved key_derivation.rs from pbs_datastore to pbs-config/src/key_config.rs

Also moved pbs-datastore/src/crypt_config.rs to pbs-tools/src/crypt_config.rs. We do not want to depend on pbs-api-types there, so I use [u8;32] instead of Fingerprint.
2021-09-07 09:22:14 +02:00 · 2021-09-07 09:22:14 +02:00 · bbdda58b35
parent ed2080762c
commit bbdda58b35
38 changed files with 79 additions and 65 deletions
--- a/pbs-client/src/backup_reader.rs
+++ b/pbs-client/src/backup_reader.rs
@ -9,14 +9,15 @@ use serde_json::{json, Value};
 use proxmox::tools::digest_to_hex;
-use pbs_datastore::{PROXMOX_BACKUP_READER_PROTOCOL_ID_V1, CryptConfig, BackupManifest};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_tools::sha::sha256;
 use pbs_datastore::{PROXMOX_BACKUP_READER_PROTOCOL_ID_V1, BackupManifest};
 use pbs_datastore::data_blob::DataBlob;
 use pbs_datastore::data_blob_reader::DataBlobReader;
 use pbs_datastore::dynamic_index::DynamicIndexReader;
 use pbs_datastore::fixed_index::FixedIndexReader;
 use pbs_datastore::index::IndexFile;
 use pbs_datastore::manifest::MANIFEST_BLOB_NAME;
 use pbs_tools::sha::sha256;
 use super::{HttpClient, H2Client};
--- a/pbs-client/src/backup_writer.rs
+++ b/pbs-client/src/backup_writer.rs
@ -14,13 +14,14 @@ use tokio_stream::wrappers::ReceiverStream;
 use proxmox::tools::digest_to_hex;
-use pbs_datastore::{CATALOG_NAME, PROXMOX_BACKUP_PROTOCOL_ID_V1, CryptConfig};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_tools::format::HumanByte;
 use pbs_datastore::{CATALOG_NAME, PROXMOX_BACKUP_PROTOCOL_ID_V1};
 use pbs_datastore::data_blob::{ChunkInfo, DataBlob, DataChunkBuilder};
 use pbs_datastore::dynamic_index::DynamicIndexReader;
 use pbs_datastore::fixed_index::FixedIndexReader;
 use pbs_datastore::index::IndexFile;
 use pbs_datastore::manifest::{ArchiveType, BackupManifest, MANIFEST_BLOB_NAME};
 use pbs_tools::format::HumanByte;
 use super::merge_known_chunks::{MergeKnownChunks, MergedChunkInfo};
--- a/pbs-client/src/remote_chunk_reader.rs
+++ b/pbs-client/src/remote_chunk_reader.rs
@ -5,7 +5,8 @@ use std::sync::{Arc, Mutex};
 use anyhow::{bail, Error};
-use pbs_datastore::{CryptConfig, CryptMode};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_api_types::CryptMode;
 use pbs_datastore::data_blob::DataBlob;
 use pbs_datastore::read_chunk::ReadChunk;
 use pbs_datastore::read_chunk::AsyncReadChunk;
--- a/pbs-config/Cargo.toml
+++ b/pbs-config/Cargo.toml
@ -9,6 +9,7 @@ description = "Configuration file management for PBS"
 anyhow = "1.0"
 lazy_static = "1.4"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 openssl = "0.10"
 nix = "0.19.1"
--- a/pbs-datastore/src/key_derivation.rs
+++ b/pbs-datastore/src/key_derivation.rs
@ -7,9 +7,9 @@ use serde::{Deserialize, Serialize};
 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
 use proxmox::try_block;
-use pbs_api_types::{Kdf, KeyInfo};
+use pbs_api_types::{Kdf, KeyInfo, Fingerprint};
-use crate::crypt_config::{CryptConfig, Fingerprint};
+use pbs_tools::crypt_config::CryptConfig;
 /// Key derivation function configuration
 #[derive(Deserialize, Serialize, Clone, Debug)]
@ -120,7 +120,7 @@ impl KeyConfig  {
    pub fn without_password(raw_key: [u8; 32]) -> Result<Self, Error> {
        // always compute fingerprint
        let crypt_config = CryptConfig::new(raw_key.clone())?;
-        let fingerprint = Some(crypt_config.fingerprint());
+        let fingerprint = Some(Fingerprint::new(crypt_config.fingerprint()));
        let created = proxmox::tools::time::epoch_i64();
        Ok(Self {
@ -187,7 +187,7 @@ impl KeyConfig  {
        // always compute fingerprint
        let crypt_config = CryptConfig::new(raw_key.clone())?;
-        let fingerprint = Some(crypt_config.fingerprint());
+        let fingerprint = Some(Fingerprint::new(crypt_config.fingerprint()));
        Ok(Self {
            kdf: Some(kdf),
@ -258,7 +258,7 @@ impl KeyConfig  {
        result.copy_from_slice(&key);
        let crypt_config = CryptConfig::new(result.clone())?;
-        let fingerprint = crypt_config.fingerprint();
+        let fingerprint = Fingerprint::new(crypt_config.fingerprint());
        if let Some(ref stored_fingerprint) = self.fingerprint {
            if &fingerprint != stored_fingerprint {
                bail!(
--- a/pbs-config/src/lib.rs
+++ b/pbs-config/src/lib.rs
@ -1,5 +1,6 @@
 pub mod domains;
 pub mod drive;
 pub mod key_config;
 pub mod media_pool;
 pub mod remote;
--- a/pbs-datastore/Cargo.toml
+++ b/pbs-datastore/Cargo.toml
@ -27,3 +27,4 @@ proxmox = { version = "0.13.0", default-features = false, features = [ "api-macr
 pbs-api-types = { path = "../pbs-api-types" }
 pbs-tools = { path = "../pbs-tools" }
 pbs-config = { path = "../pbs-config" }
--- a/pbs-datastore/src/checksum_reader.rs
+++ b/pbs-datastore/src/checksum_reader.rs
@ -3,8 +3,7 @@ use std::sync::Arc;
 use std::io::Read;
 use pbs_tools::borrow::Tied;
-
+use pbs_tools::crypt_config::CryptConfig;
 use super::CryptConfig;
 pub struct ChecksumReader<R> {
    reader: R,
--- a/pbs-datastore/src/checksum_writer.rs
+++ b/pbs-datastore/src/checksum_writer.rs
@ -4,8 +4,7 @@ use std::io::Write;
 use anyhow::{Error};
 use pbs_tools::borrow::Tied;
-
+use pbs_tools::crypt_config::CryptConfig;
 use super::CryptConfig;
 pub struct ChecksumWriter<W> {
    writer: W,
--- a/pbs-datastore/src/crypt_reader.rs
+++ b/pbs-datastore/src/crypt_reader.rs
@ -3,7 +3,7 @@ use std::io::{Read, BufRead};
 use anyhow::{bail, Error};
-use super::CryptConfig;
+use pbs_tools::crypt_config::CryptConfig;
 pub struct CryptReader<R> {
    reader: R,
--- a/pbs-datastore/src/crypt_writer.rs
+++ b/pbs-datastore/src/crypt_writer.rs
@ -3,7 +3,7 @@ use std::io::Write;
 use anyhow::Error;
-use super::CryptConfig;
+use pbs_tools::crypt_config::CryptConfig;
 pub struct CryptWriter<W> {
    writer: W,
--- a/pbs-datastore/src/data_blob.rs
+++ b/pbs-datastore/src/data_blob.rs
@ -6,8 +6,10 @@ use openssl::symm::{decrypt_aead, Mode};
 use proxmox::tools::io::{ReadExt, WriteExt};
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_api_types::CryptMode;
 use super::file_formats::*;
 use super::{CryptConfig, CryptMode};
 const MAX_BLOB_SIZE: usize = 128*1024*1024;
--- a/pbs-datastore/src/data_blob_reader.rs
+++ b/pbs-datastore/src/data_blob_reader.rs
@ -4,8 +4,9 @@ use std::sync::Arc;
 use anyhow::{bail, format_err, Error};
 use proxmox::tools::io::ReadExt;
 use pbs_tools::crypt_config::CryptConfig;
 use crate::checksum_reader::ChecksumReader;
 use crate::crypt_config::CryptConfig;
 use crate::crypt_reader::CryptReader;
 use crate::file_formats::{self, DataBlobHeader};
--- a/pbs-datastore/src/data_blob_writer.rs
+++ b/pbs-datastore/src/data_blob_writer.rs
@ -3,8 +3,9 @@ use proxmox::tools::io::WriteExt;
 use std::io::{Seek, SeekFrom, Write};
 use std::sync::Arc;
 use pbs_tools::crypt_config::CryptConfig;
 use crate::checksum_writer::ChecksumWriter;
 use crate::crypt_config::CryptConfig;
 use crate::crypt_writer::CryptWriter;
 use crate::file_formats::{self, DataBlobHeader, EncryptedDataBlobHeader};
--- a/pbs-datastore/src/lib.rs
+++ b/pbs-datastore/src/lib.rs
@ -186,7 +186,6 @@ pub mod checksum_writer;
 pub mod chunk_stat;
 pub mod chunk_store;
 pub mod chunker;
 pub mod crypt_config;
 pub mod crypt_reader;
 pub mod crypt_writer;
 pub mod data_blob;
@ -194,7 +193,6 @@ pub mod data_blob_reader;
 pub mod data_blob_writer;
 pub mod file_formats;
 pub mod index;
 pub mod key_derivation;
 pub mod manifest;
 pub mod paperkey;
 pub mod prune;
@ -210,15 +208,10 @@ pub use checksum_reader::ChecksumReader;
 pub use checksum_writer::ChecksumWriter;
 pub use chunk_store::ChunkStore;
 pub use chunker::Chunker;
 pub use crypt_config::{CryptConfig, CryptMode, Fingerprint};
 pub use crypt_reader::CryptReader;
 pub use crypt_writer::CryptWriter;
 pub use data_blob::DataBlob;
 pub use data_blob_reader::DataBlobReader;
 pub use data_blob_writer::DataBlobWriter;
 pub use key_derivation::{
    decrypt_key, load_and_decrypt_key, rsa_decrypt_key_config, rsa_encrypt_key_config,
 };
 pub use key_derivation::{KeyConfig, KeyDerivationConfig};
 pub use manifest::BackupManifest;
 pub use store_progress::StoreProgress;
--- a/pbs-datastore/src/manifest.rs
+++ b/pbs-datastore/src/manifest.rs
@ -6,7 +6,10 @@ use anyhow::{bail, format_err, Error};
 use serde_json::{json, Value};
 use serde::{Deserialize, Serialize};
-use crate::{BackupDir, CryptMode, CryptConfig, Fingerprint};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_api_types::{CryptMode, Fingerprint};
 use crate::BackupDir;
 pub const MANIFEST_BLOB_NAME: &str = "index.json.blob";
 pub const MANIFEST_LOCK_NAME: &str = ".index.json.lck";
@ -188,7 +191,7 @@ impl BackupManifest {
        if let Some(crypt_config) = crypt_config {
            let sig = self.signature(crypt_config)?;
            manifest["signature"] = proxmox::tools::digest_to_hex(&sig).into();
-            let fingerprint = &crypt_config.fingerprint();
+            let fingerprint = &Fingerprint::new(crypt_config.fingerprint());
            manifest["unprotected"]["key-fingerprint"] = serde_json::to_value(fingerprint)?;
        }
@ -215,7 +218,7 @@ impl BackupManifest {
                    fingerprint,
                ),
                Some(crypt_config) => {
-                    let config_fp = crypt_config.fingerprint();
+                    let config_fp = Fingerprint::new(crypt_config.fingerprint());
                    if config_fp != fingerprint {
                        bail!(
                            "wrong key - manifest's key {} does not match provided key {}",
@ -242,7 +245,7 @@ impl BackupManifest {
                let fingerprint = &json["unprotected"]["key-fingerprint"];
                if fingerprint != &Value::Null {
                    let fingerprint = serde_json::from_value(fingerprint.clone())?;
-                    let config_fp = crypt_config.fingerprint();
+                    let config_fp = Fingerprint::new(crypt_config.fingerprint());
                    if config_fp != fingerprint {
                        bail!(
                            "wrong key - unable to verify signature since manifest's key {} does not match provided key {}",
@ -283,7 +286,7 @@ impl TryFrom<super::DataBlob> for BackupManifest {
 #[test]
 fn test_manifest_signature() -> Result<(), Error> {
-    use crate::{KeyDerivationConfig};
+    use pbs_config::key_config::KeyDerivationConfig;
    let pw = b"test";
--- a/pbs-datastore/src/paperkey.rs
+++ b/pbs-datastore/src/paperkey.rs
@ -6,7 +6,7 @@ use serde::{Deserialize, Serialize};
 use proxmox::api::api;
-use crate::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 #[api()]
 #[derive(Debug, Serialize, Deserialize)]
--- a/pbs-datastore/src/crypt_config.rs
+++ b/pbs-datastore/src/crypt_config.rs
@ -12,8 +12,6 @@ use openssl::hash::MessageDigest;
 use openssl::pkcs5::pbkdf2_hmac;
 use openssl::symm::{Cipher, Crypter, Mode};
 pub use pbs_api_types::{CryptMode, Fingerprint};
 // openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint")
 /// This constant is used to compute fingerprints.
 const FINGERPRINT_INPUT: [u8; 32] = [
@ -104,8 +102,8 @@ impl CryptConfig {
    ///
    /// This computes a digest using the derived key (id_key) in order
    /// to hinder brute force attacks.
-    pub fn fingerprint(&self) -> Fingerprint {
+    pub fn fingerprint(&self) -> [u8; 32] {
-        Fingerprint::new(self.compute_digest(&FINGERPRINT_INPUT))
+        self.compute_digest(&FINGERPRINT_INPUT)
    }
    /// Returns an openssl Crypter using AES_256_GCM,
--- a/pbs-tools/src/lib.rs
+++ b/pbs-tools/src/lib.rs
@ -6,6 +6,7 @@ pub mod broadcast_future;
 pub mod cert;
 pub mod cli;
 pub mod compression;
 pub mod crypt_config;
 pub mod format;
 pub mod fd;
 pub mod fs;
--- a/proxmox-backup-client/Cargo.toml
+++ b/proxmox-backup-client/Cargo.toml
@ -26,6 +26,7 @@ proxmox = { version = "0.13.0", features = [ "sortable-macro", "api-macro", "cli
 pbs-api-types = { path = "../pbs-api-types" }
 pbs-buildcfg = { path = "../pbs-buildcfg" }
 pbs-config = { path = "../pbs-config" }
 pbs-client = { path = "../pbs-client" }
 pbs-datastore = { path = "../pbs-datastore" }
 pbs-fuse-loop = { path = "../pbs-fuse-loop" }
--- a/proxmox-backup-client/src/benchmark.rs
+++ b/proxmox-backup-client/src/benchmark.rs
@ -19,9 +19,10 @@ use proxmox::api::{
    schema::ApiType,
 };
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_config::key_config::{KeyDerivationConfig, load_and_decrypt_key};
 use pbs_client::tools::key_source::get_encryption_key_password;
 use pbs_client::{BackupRepository, BackupWriter};
 use pbs_datastore::{CryptConfig, KeyDerivationConfig, load_and_decrypt_key};
 use pbs_datastore::data_blob::{DataBlob, DataChunkBuilder};
 use crate::{
--- a/proxmox-backup-client/src/catalog.rs
+++ b/proxmox-backup-client/src/catalog.rs
@ -10,6 +10,7 @@ use proxmox::api::{api, cli::*};
 use pbs_client::tools::key_source::get_encryption_key_password;
 use pbs_client::{BackupReader, RemoteChunkReader};
 use pbs_tools::json::required_string_param;
 use pbs_tools::crypt_config::CryptConfig;
 use crate::{
    REPO_URL_SCHEMA,
@ -31,7 +32,6 @@ use crate::{
    BufferedDynamicReadAt,
    CatalogReader,
    CATALOG_NAME,
    CryptConfig,
    DynamicIndexReader,
    IndexFile,
    Shell,
--- a/proxmox-backup-client/src/key.rs
+++ b/proxmox-backup-client/src/key.rs
@ -15,7 +15,7 @@ use proxmox::sys::linux::tty;
 use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
 use pbs_api_types::{RsaPubKeyInfo, PASSWORD_HINT_SCHEMA, Kdf, KeyInfo};
-use pbs_datastore::{KeyConfig, rsa_decrypt_key_config};
+use pbs_config::key_config::{KeyConfig, rsa_decrypt_key_config};
 use pbs_datastore::paperkey::{generate_paper_key, PaperkeyFormat};
 use pbs_client::tools::key_source::{
    find_default_encryption_key, find_default_master_pubkey, get_encryption_key_password,
--- a/proxmox-backup-client/src/main.rs
+++ b/proxmox-backup-client/src/main.rs
@ -29,7 +29,7 @@ use pxar::accessor::{MaybeReady, ReadAt, ReadAtOperation};
 use pbs_api_types::{
    BACKUP_ID_SCHEMA, BACKUP_TIME_SCHEMA, BACKUP_TYPE_SCHEMA, Authid, CryptMode, GroupListItem,
-    PruneListItem, SnapshotListItem, StorageStatus,
+    PruneListItem, SnapshotListItem, StorageStatus, Fingerprint,
 };
 use pbs_client::{
    BACKUP_SOURCE_SCHEMA,
@ -60,7 +60,8 @@ use pbs_client::tools::{
    },
    CHUNK_SIZE_SCHEMA, REPO_URL_SCHEMA,
 };
-use pbs_datastore::{CATALOG_NAME, CryptConfig, KeyConfig, decrypt_key, rsa_encrypt_key_config};
+use pbs_config::key_config::{KeyConfig, decrypt_key, rsa_encrypt_key_config};
 use pbs_datastore::CATALOG_NAME;
 use pbs_datastore::backup_info::{BackupDir, BackupGroup};
 use pbs_datastore::catalog::{BackupCatalogWriter, CatalogReader, CatalogWriter};
 use pbs_datastore::chunk_store::verify_chunk_size;
@ -75,6 +76,7 @@ use pbs_datastore::prune::PruneOptions;
 use pbs_tools::sync::StdChannelWriter;
 use pbs_tools::tokio::TokioWriterAdapter;
 use pbs_tools::json;
 use pbs_tools::crypt_config::CryptConfig;
 mod benchmark;
 pub use benchmark::*;
@ -1131,7 +1133,7 @@ async fn restore(param: Value) -> Result<Value, Error> {
                eprintln!("{}", format_key_source(&key.source, "encryption"));
            }
            if let Some(config) = &crypt_config {
-                eprintln!("Fingerprint: {}", config.fingerprint());
+                eprintln!("Fingerprint: {}", Fingerprint::new(config.fingerprint()));
            }
        }
        manifest.check_fingerprint(crypt_config.as_ref().map(Arc::as_ref))?;
--- a/proxmox-backup-client/src/mount.rs
+++ b/proxmox-backup-client/src/mount.rs
@ -17,7 +17,9 @@ use proxmox::{sortable, identity};
 use proxmox::api::{ApiHandler, ApiMethod, RpcEnvironment, schema::*, cli::*};
 use proxmox::tools::fd::Fd;
-use pbs_datastore::{BackupDir, BackupGroup, CryptConfig, load_and_decrypt_key};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_config::key_config::load_and_decrypt_key;
 use pbs_datastore::{BackupDir, BackupGroup, };
 use pbs_datastore::index::IndexFile;
 use pbs_datastore::dynamic_index::BufferedDynamicReader;
 use pbs_datastore::cached_chunk_reader::CachedChunkReader;
--- a/proxmox-backup-client/src/snapshot.rs
+++ b/proxmox-backup-client/src/snapshot.rs
@ -8,10 +8,11 @@ use proxmox::{
    tools::fs::file_get_contents,
 };
-use pbs_api_types::SnapshotListItem;
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_config::key_config::decrypt_key;
 use pbs_api_types::{SnapshotListItem, CryptMode};
 use pbs_client::tools::key_source::get_encryption_key_password;
-use pbs_datastore::{BackupGroup, CryptMode, CryptConfig, decrypt_key};
+use pbs_datastore::{DataBlob, BackupGroup};
 use pbs_datastore::data_blob::DataBlob;
 use pbs_tools::json::required_string_param;
 use crate::{
--- a/proxmox-backup-debug/Cargo.toml
+++ b/proxmox-backup-debug/Cargo.toml
@ -11,6 +11,7 @@ serde_json = "1.0"
 proxmox = { version = "0.13.0", features = [ "api-macro", "cli" ] }
 pbs-config = { path = "../pbs-config" }
 pbs-client = { path = "../pbs-client" }
 pbs-datastore = { path = "../pbs-datastore" }
 pbs-runtime = { path = "../pbs-runtime" }
--- a/proxmox-backup-debug/src/inspect.rs
+++ b/proxmox-backup-debug/src/inspect.rs
@ -12,6 +12,8 @@ use proxmox::api::cli::{
 };
 use proxmox::api::{api, cli::*};
 use pbs_tools::cli::outfile_or_stdout;
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_datastore::dynamic_index::DynamicIndexReader;
 use pbs_datastore::file_formats::{
    COMPRESSED_BLOB_MAGIC_1_0, DYNAMIC_SIZED_CHUNK_INDEX_1_0, ENCRYPTED_BLOB_MAGIC_1_0,
@ -19,11 +21,10 @@ use pbs_datastore::file_formats::{
 };
 use pbs_datastore::fixed_index::FixedIndexReader;
 use pbs_datastore::index::IndexFile;
-use pbs_datastore::{load_and_decrypt_key, CryptConfig, DataBlob};
+use pbs_datastore::DataBlob;
-
+use pbs_config::key_config::load_and_decrypt_key;
 use pbs_client::tools::key_source::get_encryption_key_password;
 use pbs_tools::cli::outfile_or_stdout;
 /// Decodes a blob and writes its content either to stdout or into a file
 fn decode_blob(
--- a/proxmox-backup-debug/src/recover.rs
+++ b/proxmox-backup-debug/src/recover.rs
@ -7,17 +7,17 @@ use serde_json::Value;
 use proxmox::api::api;
 use proxmox::api::cli::{CliCommand, CliCommandMap, CommandLineInterface};
 use proxmox::tools::digest_to_hex;
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_datastore::dynamic_index::DynamicIndexReader;
 use pbs_datastore::file_formats::{DYNAMIC_SIZED_CHUNK_INDEX_1_0, FIXED_SIZED_CHUNK_INDEX_1_0};
 use pbs_datastore::fixed_index::FixedIndexReader;
 use pbs_datastore::index::IndexFile;
-use pbs_datastore::{load_and_decrypt_key, CryptConfig, DataBlob};
+use pbs_datastore::DataBlob;
-
+use pbs_config::key_config::load_and_decrypt_key;
 use pbs_client::tools::key_source::get_encryption_key_password;
 use proxmox::tools::digest_to_hex;
 #[api(
    input: {
        properties: {
--- a/proxmox-file-restore/Cargo.toml
+++ b/proxmox-file-restore/Cargo.toml
@ -20,6 +20,7 @@ proxmox = { version = "0.13.0", features = [ "api-macro", "cli" ] }
 pbs-api-types = { path = "../pbs-api-types" }
 pbs-buildcfg = { path = "../pbs-buildcfg" }
 pbs-config = { path = "../pbs-config" }
 pbs-client = { path = "../pbs-client" }
 pbs-datastore = { path = "../pbs-datastore" }
 pbs-runtime = { path = "../pbs-runtime" }
--- a/proxmox-file-restore/src/main.rs
+++ b/proxmox-file-restore/src/main.rs
@ -17,13 +17,14 @@ use proxmox::tools::fs::{create_path, CreateOptions};
 use pxar::accessor::aio::Accessor;
 use pxar::decoder::aio::Decoder;
 use pbs_tools::crypt_config::CryptConfig;
 use pbs_api_types::CryptMode;
-use pbs_datastore::{CryptConfig, CATALOG_NAME};
+use pbs_datastore::CATALOG_NAME;
 use pbs_datastore::backup_info::BackupDir;
 use pbs_datastore::catalog::{ArchiveEntry, CatalogReader, DirEntryAttribute};
 use pbs_datastore::dynamic_index::{BufferedDynamicReader, LocalDynamicReadAt};
 use pbs_datastore::index::IndexFile;
-use pbs_datastore::key_derivation::decrypt_key;
+use pbs_config::key_config::decrypt_key;
 use pbs_client::{BackupReader, RemoteChunkReader};
 use pbs_client::pxar::{create_zip, extract_sub_dir, extract_sub_dir_seq};
 use pbs_client::tools::{
--- a/src/api2/config/tape_encryption_keys.rs
+++ b/src/api2/config/tape_encryption_keys.rs
@ -12,7 +12,7 @@ use proxmox::{
 };
 use pbs_api_types::{Fingerprint, KeyInfo, Kdf};
-use pbs_datastore::key_derivation::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 use pbs_config::open_backup_lockfile;
 use crate::{
--- a/src/backup/read_chunk.rs
+++ b/src/backup/read_chunk.rs
@ -4,7 +4,8 @@ use std::sync::Arc;
 use anyhow::{bail, Error};
-use pbs_datastore::crypt_config::{CryptConfig, CryptMode};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_api_types::CryptMode;
 use pbs_datastore::data_blob::DataBlob;
 use pbs_datastore::read_chunk::{ReadChunk, AsyncReadChunk};
--- a/src/config/tape_encryption_keys.rs
+++ b/src/config/tape_encryption_keys.rs
@ -17,8 +17,7 @@ use serde::{Deserialize, Serialize};
 use proxmox::tools::fs::file_read_optional_string;
 use pbs_api_types::Fingerprint;
-use pbs_datastore::key_derivation::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 use pbs_config::{open_backup_lockfile, replace_secret_config};
 mod hex_key {
--- a/src/tape/drive/lto/mod.rs
+++ b/src/tape/drive/lto/mod.rs
@ -28,7 +28,7 @@ use proxmox::{
 };
 use pbs_api_types::Fingerprint;
-use pbs_datastore::key_derivation::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 use pbs_tools::run_command;
 use crate::{
--- a/src/tape/drive/mod.rs
+++ b/src/tape/drive/mod.rs
@ -28,11 +28,10 @@ use proxmox::{
    api::section_config::SectionConfigData,
 };
-use pbs_api_types::Fingerprint;
+use pbs_api_types::{VirtualTapeDrive, LtoTapeDrive, Fingerprint};
-use pbs_datastore::key_derivation::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 use pbs_datastore::task::TaskState;
 use pbs_datastore::task_log;
 use pbs_api_types::{VirtualTapeDrive, LtoTapeDrive};
 use crate::{
    server::{
--- a/src/tape/drive/virtual_tape.rs
+++ b/src/tape/drive/virtual_tape.rs
@ -10,7 +10,7 @@ use proxmox::tools::{
    fs::{replace_file, CreateOptions},
 };
-use pbs_datastore::key_derivation::KeyConfig;
+use pbs_config::key_config::KeyConfig;
 use crate::{
    tape::{
--- a/tests/blob_writer.rs
+++ b/tests/blob_writer.rs
@ -4,7 +4,8 @@ use std::io::Cursor;
 use std::io::{Read, Write, Seek, SeekFrom };
 use lazy_static::lazy_static;
-use pbs_datastore::{CryptConfig, DataBlob, DataBlobReader, DataBlobWriter};
+use pbs_tools::crypt_config::CryptConfig;
 use pbs_datastore::{DataBlob, DataBlobReader, DataBlobWriter};
 lazy_static! {
    static ref TEST_DATA: Vec<u8> = {