tape: generate random encryptions keys and store key_config on media

2021-01-19 06:19:18 +01:00
parent 8ca37d6a65
commit feb1645f37
10 changed files with 402 additions and 87 deletions
--- a/src/bin/proxmox_tape/encryption_key.rs
+++ b/src/bin/proxmox_tape/encryption_key.rs
@ -1,4 +1,4 @@
-use anyhow::Error;
+use anyhow::{bail, Error};
 use serde_json::Value;

 use proxmox::{
@ -8,11 +8,16 @@ use proxmox::{
        RpcEnvironment,
        ApiHandler,
    },
+    sys::linux::tty,
 };

 use proxmox_backup::{
+    config,
    api2::{
        self,
+        types::{
+            DRIVE_NAME_SCHEMA,
+        },
    },
    config::tape_encryption_keys::complete_key_fingerprint,
 };
@ -23,7 +28,11 @@ pub fn encryption_key_commands() -> CommandLineInterface {
        .insert("list", CliCommand::new(&API_METHOD_LIST_KEYS))
        .insert(
            "create",
-            CliCommand::new(&api2::config::tape_encryption_keys::API_METHOD_CREATE_KEY)
+            CliCommand::new(&API_METHOD_CREATE_KEY)
+        )
+        .insert(
+            "restore",
+            CliCommand::new(&API_METHOD_RESTORE_KEY)
        )
        .insert(
            "remove",
@ -36,6 +45,79 @@ pub fn encryption_key_commands() -> CommandLineInterface {
    cmd_def.into()
 }

+#[api(
+    input: {
+        properties: {
+            drive: {
+                schema: DRIVE_NAME_SCHEMA,
+                optional: true,
+            },
+        },
+    },
+)]
+/// Restore encryption key from tape (read password from stdin)
+async fn restore_key(
+    mut param: Value,
+    rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+
+    let (config, _digest) = config::drive::config()?;
+    param["drive"] = crate::lookup_drive_name(&param, &config)?.into();
+
+    if !tty::stdin_isatty() {
+        bail!("no password input mechanism available");
+    }
+
+    let password = tty::read_password("Tepe Encryption Key Password: ")?;
+    param["password"] = String::from_utf8(password)?.into();
+
+    let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;
+    match info.handler {
+        ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
+        _ => unreachable!(),
+    };
+
+    Ok(())
+}
+
+#[api(
+    input: {
+        properties: {
+            hint: {
+                description: "Password restore hint.",
+                type: String,
+                min_length: 1,
+                max_length: 32,
+            },
+        },
+    },
+)]
+/// Create key (read password from stdin)
+fn create_key(
+    mut param: Value,
+    rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+
+    if !tty::stdin_isatty() {
+        bail!("no password input mechanism available");
+    }
+
+    let password = tty::read_and_verify_password("Tape Encryption Key Password: ")?;
+
+    param["password"] = String::from_utf8(password)?.into();
+
+    let info = &api2::config::tape_encryption_keys::API_METHOD_CREATE_KEY;
+    let fingerprint = match info.handler {
+        ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
+        _ => unreachable!(),
+    };
+
+    println!("{}", fingerprint);
+
+    Ok(())
+}
+
+
 #[api(
    input: {
        properties: {