tape: generate random encryptions keys and store key_config on media

src/api2/config/tape_encryption_keys.rs

@@ -15,9 +15,12 @@ use crate::{
     config::{
         tape_encryption_keys::{
             TAPE_KEYS_LOCKFILE,
-            EncryptionKeyInfo,
+            generate_tape_encryption_key,
             load_keys,
+            load_key_configs,
             save_keys,
+            save_key_configs,
+            insert_key,
         },
     },
     api2::types::{
@@ -25,12 +28,13 @@ use crate::{
         PROXMOX_CONFIG_DIGEST_SCHEMA,
         TapeKeyMetadata,
     },
-    backup::Fingerprint,
+    backup::{
+        Fingerprint,
+    },
     tools::format::as_fingerprint,
 };
 
 #[api(
-    protected: true,
     input: {
         properties: {},
     },
@@ -47,17 +51,17 @@ pub fn list_keys(
     mut rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Vec<TapeKeyMetadata>, Error> {
 
-    let (key_map, digest) = load_keys()?;
+    let (key_map, digest) = load_key_configs()?;
 
     let mut list = Vec::new();
-    
-    for (_fingerprint, item) in key_map {
+
+    for (fingerprint, item) in key_map {
         list.push(TapeKeyMetadata {
             hint: item.hint,
-            fingerprint: as_fingerprint(item.fingerprint.bytes()),
+            fingerprint: as_fingerprint(fingerprint.bytes()),
         });
     }
-    
+
     rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
 
     Ok(list)
@@ -71,11 +75,15 @@ pub fn list_keys(
                 min_length: 5,
             },
             hint: {
-                description: "Password restore hint",
+                description: "Password restore hint.",
                 min_length: 1,
+                max_length: 32,
             },
         },
     },
+    returns: {
+        schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
+    },
 )]
 /// Create a new encryption key
 pub fn create_key(
@@ -84,26 +92,11 @@ pub fn create_key(
     _rpcenv: &mut dyn RpcEnvironment
 ) -> Result<Fingerprint, Error> {
 
-    let key = openssl::sha::sha256(password.as_bytes()); // fixme: better KDF ??
+    let (key, key_config) = generate_tape_encryption_key(password.as_bytes())?;
 
-    let item = EncryptionKeyInfo::new(&key, hint);
+    let fingerprint = key_config.fingerprint.clone().unwrap();
 
-    let _lock = open_file_locked(
-        TAPE_KEYS_LOCKFILE,
-        std::time::Duration::new(10, 0),
-        true,
-    )?;
-
-    let (mut key_map, _) = load_keys()?;
-
-    let fingerprint = item.fingerprint.clone();
-
-    if let Some(_) = key_map.get(&fingerprint) {
-        bail!("encryption key '{}' already exists.", fingerprint);
-    }
-
-    key_map.insert(fingerprint.clone(), item);
-    save_keys(key_map)?;
+    insert_key(key, key_config, hint)?;
 
     Ok(fingerprint)
 }
@@ -131,25 +124,28 @@ pub fn delete_key(
     digest: Option<String>,
     _rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
- 
+
     let _lock = open_file_locked(
         TAPE_KEYS_LOCKFILE,
         std::time::Duration::new(10, 0),
         true,
     )?;
 
-    let (mut key_map, expected_digest) = load_keys()?;
+    let (mut config_map, expected_digest) = load_key_configs()?;
+    let (mut key_map, _) = load_keys()?;
 
     if let Some(ref digest) = digest {
         let digest = proxmox::tools::hex_to_digest(digest)?;
         crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
     }
 
-    match key_map.get(&fingerprint) {
-        Some(_) => { key_map.remove(&fingerprint); },
+    match config_map.get(&fingerprint) {
+        Some(_) => { config_map.remove(&fingerprint); },
         None => bail!("tape encryption key '{}' does not exist.", fingerprint),
     }
+    save_key_configs(config_map)?;
 
+    key_map.remove(&fingerprint);
     save_keys(key_map)?;
 
     Ok(())