Proxmox Backup Paperkey

use std::path::PathBuf; use std::io::Write; use std::process::{Stdio, Command}; use anyhow::{bail, format_err, Error}; use serde::{Deserialize, Serialize}; use serde_json::Value; use proxmox::api::api; use proxmox::api::cli::{ ColumnConfig, CliCommand, CliCommandMap, format_and_print_result_full, get_output_format, OUTPUT_FORMAT, }; use proxmox::api::router::ReturnType; use proxmox::sys::linux::tty; use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox_backup::{ api2::types::{ PASSWORD_HINT_SCHEMA, }, backup::{ encrypt_key_with_passphrase, load_key_config, decrypt_key_config, rsa_decrypt_key_config, store_key_config, CryptConfig, Kdf, KeyConfig, KeyDerivationConfig, }, tools, }; #[api()] #[derive(Debug, Serialize, Deserialize)] #[serde(rename_all = "lowercase")] /// Paperkey output format pub enum PaperkeyFormat { /// Format as Utf8 text. Includes QR codes as ascii-art. Text, /// Format as Html. Includes QR codes as png images. Html, } pub const DEFAULT_ENCRYPTION_KEY_FILE_NAME: &str = "encryption-key.json"; pub const MASTER_PUBKEY_FILE_NAME: &str = "master-public.pem"; pub fn find_master_pubkey() -> Result, Error> { super::find_xdg_file(MASTER_PUBKEY_FILE_NAME, "main public key file") } pub fn place_master_pubkey() -> Result { super::place_xdg_file(MASTER_PUBKEY_FILE_NAME, "main public key file") } pub fn find_default_encryption_key() -> Result, Error> { super::find_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file") } pub fn place_default_encryption_key() -> Result { super::place_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file") } pub fn read_optional_default_encryption_key() -> Result>, Error> { find_default_encryption_key()? .map(file_get_contents) .transpose() } pub fn get_encryption_key_password() -> Result, Error> { // fixme: implement other input methods use std::env::VarError::*; match std::env::var("PBS_ENCRYPTION_PASSWORD") { Ok(p) => return Ok(p.as_bytes().to_vec()), Err(NotUnicode(_)) => bail!("PBS_ENCRYPTION_PASSWORD contains bad characters"), Err(NotPresent) => { // Try another method } } // If we're on a TTY, query the user for a password if tty::stdin_isatty() { return Ok(tty::read_password("Encryption Key Password: ")?); } bail!("no password input mechanism available"); } #[api( input: { properties: { kdf: { type: Kdf, optional: true, }, path: { description: "Output file. Without this the key will become the new default encryption key.", optional: true, }, hint: { schema: PASSWORD_HINT_SCHEMA, optional: true, }, }, }, )] /// Create a new encryption key. fn create( kdf: Option, path: Option, hint: Option ) -> Result<(), Error> { let path = match path { Some(path) => PathBuf::from(path), None => { let path = place_default_encryption_key()?; println!("creating default key at: {:?}", path); path } }; let kdf = kdf.unwrap_or_default(); let mut key_array = [0u8; 32]; proxmox::sys::linux::fill_with_random_data(&mut key_array)?; let crypt_config = CryptConfig::new(key_array.clone())?; let key = key_array.to_vec(); match kdf { Kdf::None => { let created = proxmox::tools::time::epoch_i64(); if hint.is_some() { bail!("password hint not allowed for Kdf::None"); } store_key_config( &path, false, KeyConfig { kdf: None, created, modified: created, data: key, fingerprint: Some(crypt_config.fingerprint()), hint: None, }, )?; } Kdf::Scrypt | Kdf::PBKDF2 => { // always read passphrase from tty if !tty::stdin_isatty() { bail!("unable to read passphrase - no tty"); } let password = tty::read_and_verify_password("Encryption Key Password: ")?; let mut key_config = encrypt_key_with_passphrase(&key, &password, kdf)?; key_config.fingerprint = Some(crypt_config.fingerprint()); key_config.hint = hint; store_key_config(&path, false, key_config)?; } } Ok(()) } #[api( input: { properties: { "master-keyfile": { description: "(Private) master key to use.", }, "encrypted-keyfile": { description: "RSA-encrypted keyfile to import.", }, kdf: { type: Kdf, optional: true, }, "path": { description: "Output file. Without this the key will become the new default encryption key.", optional: true, }, hint: { schema: PASSWORD_HINT_SCHEMA, optional: true, }, }, }, )] /// Import an encrypted backup of an encryption key using a (private) master key. async fn import_with_master_key( master_keyfile: String, encrypted_keyfile: String, kdf: Option, path: Option, hint: Option, ) -> Result<(), Error> { let path = match path { Some(path) => PathBuf::from(path), None => { let path = place_default_encryption_key()?; if path.exists() { bail!("Please remove default encryption key at {:?} before importing to default location (or choose a non-default one).", path); } println!("Importing key to default location at: {:?}", path); path } }; let encrypted_key = file_get_contents(&encrypted_keyfile)?; let master_key = file_get_contents(&master_keyfile)?; let password = tty::read_password("Master Key Password: ")?; let master_key = openssl::pkey::PKey::private_key_from_pem_passphrase(&master_key, &password) .map_err(|err| format_err!("failed to read PEM-formatted private key - {}", err))? .rsa() .map_err(|err| format_err!("not a valid private RSA key - {}", err))?; let (key, created, fingerprint) = rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?; let kdf = kdf.unwrap_or_default(); match kdf { Kdf::None => { let modified = proxmox::tools::time::epoch_i64(); if hint.is_some() { bail!("password hint not allowed for Kdf::None"); } store_key_config( &path, true, KeyConfig { kdf: None, created, // keep original value modified, data: key.to_vec(), fingerprint: Some(fingerprint), hint: None, }, )?; } Kdf::Scrypt | Kdf::PBKDF2 => { let password = tty::read_and_verify_password("New Password: ")?; let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?; new_key_config.created = created; // keep original value new_key_config.fingerprint = Some(fingerprint); new_key_config.hint = hint; store_key_config(&path, true, new_key_config)?; } } Ok(()) } #[api( input: { properties: { kdf: { type: Kdf, optional: true, }, path: { description: "Key file. Without this the default key's password will be changed.", optional: true, }, hint: { schema: PASSWORD_HINT_SCHEMA, optional: true, }, }, }, )] /// Change the encryption key's password. fn change_passphrase( kdf: Option, path: Option, hint: Option, ) -> Result<(), Error> { let path = match path { Some(path) => PathBuf::from(path), None => { let path = find_default_encryption_key()? .ok_or_else(|| { format_err!("no encryption file provided and no default file found") })?; println!("updating default key at: {:?}", path); path } }; let kdf = kdf.unwrap_or_default(); if !tty::stdin_isatty() { bail!("unable to change passphrase - no tty"); } let key_config = load_key_config(&path)?; let (key, created, fingerprint) = decrypt_key_config(&key_config, &get_encryption_key_password)?; match kdf { Kdf::None => { let modified = proxmox::tools::time::epoch_i64(); if hint.is_some() { bail!("password hint not allowed for Kdf::None"); } store_key_config( &path, true, KeyConfig { kdf: None, created, // keep original value modified, data: key.to_vec(), fingerprint: Some(fingerprint), hint: None, }, )?; } Kdf::Scrypt | Kdf::PBKDF2 => { let password = tty::read_and_verify_password("New Password: ")?; let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?; new_key_config.created = created; // keep original value new_key_config.fingerprint = Some(fingerprint); new_key_config.hint = hint; store_key_config(&path, true, new_key_config)?; } } Ok(()) } #[api( properties: { kdf: { type: Kdf, }, }, )] #[derive(Deserialize, Serialize)] /// Encryption Key Information struct KeyInfo { /// Path to key path: String, kdf: Kdf, /// Key creation time pub created: i64, /// Key modification time pub modified: i64, /// Key fingerprint #[serde(skip_serializing_if="Option::is_none")] pub fingerprint: Option, /// Password hint #[serde(skip_serializing_if="Option::is_none")] pub hint: Option, } #[api( input: { properties: { path: { description: "Key file. Without this the default key's metadata will be shown.", optional: true, }, "output-format": { schema: OUTPUT_FORMAT, optional: true, }, }, }, )] /// Print the encryption key's metadata. fn show_key( path: Option, param: Value, ) -> Result<(), Error> { let path = match path { Some(path) => PathBuf::from(path), None => { let path = find_default_encryption_key()? .ok_or_else(|| { format_err!("no encryption file provided and no default file found") })?; path } }; let config: KeyConfig = serde_json::from_slice(&file_get_contents(path.clone())?)?; let output_format = get_output_format(¶m); let info = KeyInfo { path: format!("{:?}", path), kdf: match config.kdf { Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2, Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt, None => Kdf::None, }, created: config.created, modified: config.modified, fingerprint: match config.fingerprint { Some(ref fp) => Some(format!("{}", fp)), None => None, }, hint: config.hint, }; let options = proxmox::api::cli::default_table_format_options() .column(ColumnConfig::new("path")) .column(ColumnConfig::new("kdf")) .column(ColumnConfig::new("created").renderer(tools::format::render_epoch)) .column(ColumnConfig::new("modified").renderer(tools::format::render_epoch)) .column(ColumnConfig::new("fingerprint")) .column(ColumnConfig::new("hint")); let return_type = ReturnType::new(false, &KeyInfo::API_SCHEMA); format_and_print_result_full( &mut serde_json::to_value(info)?, &return_type, &output_format, &options, ); Ok(()) } #[api( input: { properties: { path: { description: "Path to the PEM formatted RSA public key.", }, }, }, )] /// Import an RSA public key used to put an encrypted version of the symmetric backup encryption /// key onto the backup server along with each backup. fn import_master_pubkey(path: String) -> Result<(), Error> { let pem_data = file_get_contents(&path)?; if let Err(err) = openssl::pkey::PKey::public_key_from_pem(&pem_data) { bail!("Unable to decode PEM data - {}", err); } let target_path = place_master_pubkey()?; replace_file(&target_path, &pem_data, CreateOptions::new())?; println!("Imported public master key to {:?}", target_path); Ok(()) } #[api] /// Create an RSA public/private key pair used to put an encrypted version of the symmetric backup /// encryption key onto the backup server along with each backup. fn create_master_key() -> Result<(), Error> { // we need a TTY to query the new password if !tty::stdin_isatty() { bail!("unable to create master key - no tty"); } let rsa = openssl::rsa::Rsa::generate(4096)?; let pkey = openssl::pkey::PKey::from_rsa(rsa)?; let password = String::from_utf8(tty::read_and_verify_password("Master Key Password: ")?)?; let pub_key: Vec = pkey.public_key_to_pem()?; let filename_pub = "master-public.pem"; println!("Writing public master key to {}", filename_pub); replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?; let cipher = openssl::symm::Cipher::aes_256_cbc(); let priv_key: Vec = pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?; let filename_priv = "master-private.pem"; println!("Writing private master key to {}", filename_priv); replace_file(filename_priv, priv_key.as_slice(), CreateOptions::new())?; Ok(()) } #[api( input: { properties: { path: { description: "Key file. Without this the default key's will be used.", optional: true, }, subject: { description: "Include the specified subject as titel text.", optional: true, }, "output-format": { type: PaperkeyFormat, optional: true, }, }, }, )] /// Generate a printable, human readable text file containing the encryption key. /// /// This also includes a scanable QR code for fast key restore. fn paper_key( path: Option, subject: Option, output_format: Option, ) -> Result<(), Error> { let path = match path { Some(path) => PathBuf::from(path), None => { let path = find_default_encryption_key()? .ok_or_else(|| { format_err!("no encryption file provided and no default file found") })?; path } }; let data = file_get_contents(&path)?; let data = String::from_utf8(data)?; let (data, is_private_key) = if data.starts_with("-----BEGIN ENCRYPTED PRIVATE KEY-----\n") { let lines: Vec = data .lines() .map(|s| s.trim_end()) .filter(|s| !s.is_empty()) .map(String::from) .collect(); if !lines[lines.len()-1].starts_with("-----END ENCRYPTED PRIVATE KEY-----") { bail!("unexpected key format"); } if lines.len() < 20 { bail!("unexpected key format"); } (lines, true) } else { match serde_json::from_str::(&data) { Ok(key_config) => { let lines = serde_json::to_string_pretty(&key_config)? .lines() .map(String::from) .collect(); (lines, false) }, Err(err) => { eprintln!("Couldn't parse '{:?}' as KeyConfig - {}", path, err); bail!("Neither a PEM-formatted private key, nor a PBS key file."); }, } }; let format = output_format.unwrap_or(PaperkeyFormat::Html); match format { PaperkeyFormat::Html => paperkey_html(&data, subject, is_private_key), PaperkeyFormat::Text => paperkey_text(&data, subject, is_private_key), } } pub fn cli() -> CliCommandMap { let key_create_cmd_def = CliCommand::new(&API_METHOD_CREATE) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); let key_import_with_master_key_cmd_def = CliCommand::new(&API_METHOD_IMPORT_WITH_MASTER_KEY) .arg_param(&["master-keyfile"]) .completion_cb("master-keyfile", tools::complete_file_name) .arg_param(&["encrypted-keyfile"]) .completion_cb("encrypted-keyfile", tools::complete_file_name) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); let key_change_passphrase_cmd_def = CliCommand::new(&API_METHOD_CHANGE_PASSPHRASE) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); let key_create_master_key_cmd_def = CliCommand::new(&API_METHOD_CREATE_MASTER_KEY); let key_import_master_pubkey_cmd_def = CliCommand::new(&API_METHOD_IMPORT_MASTER_PUBKEY) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); let key_show_cmd_def = CliCommand::new(&API_METHOD_SHOW_KEY) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); let paper_key_cmd_def = CliCommand::new(&API_METHOD_PAPER_KEY) .arg_param(&["path"]) .completion_cb("path", tools::complete_file_name); CliCommandMap::new() .insert("create", key_create_cmd_def) .insert("import-with-master-key", key_import_with_master_key_cmd_def) .insert("create-master-key", key_create_master_key_cmd_def) .insert("import-master-pubkey", key_import_master_pubkey_cmd_def) .insert("change-passphrase", key_change_passphrase_cmd_def) .insert("show", key_show_cmd_def) .insert("paperkey", paper_key_cmd_def) } fn paperkey_html(lines: &[String], subject: Option, is_private: bool) -> Result<(), Error> { let img_size_pt = 500; println!(""); println!(""); println!(""); println!(""); println!(""); println!("Proxmox Backup Paperkey"); println!(""); println!(""); println!(""); if let Some(subject) = subject { println!("

Subject: {}

", subject); } if is_private { const BLOCK_SIZE: usize = 20; let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE; for i in 0..blocks { let start = i*BLOCK_SIZE; let mut end = start + BLOCK_SIZE; if end > lines.len() { end = lines.len(); } let data = &lines[start..end]; println!("

"); println!("

"); for l in start..end { println!("{:02}: {}", l, lines[l]); } println!("

"); let qr_code = generate_qr_code("svg", data)?; let qr_code = base64::encode_config(&qr_code, base64::STANDARD_NO_PAD); println!(""); println!("", qr_code); println!(""); println!("

"); } println!(""); println!(""); return Ok(()); } println!("

"); println!("

"); println!("-----BEGIN PROXMOX BACKUP KEY-----"); for line in lines { println!("{}", line); } println!("-----END PROXMOX BACKUP KEY-----"); println!("

"); let qr_code = generate_qr_code("svg", lines)?; let qr_code = base64::encode_config(&qr_code, base64::STANDARD_NO_PAD); println!(""); println!("", qr_code); println!(""); println!("

"); println!(""); println!(""); Ok(()) } fn paperkey_text(lines: &[String], subject: Option, is_private: bool) -> Result<(), Error> { if let Some(subject) = subject { println!("Subject: {}\n", subject); } if is_private { const BLOCK_SIZE: usize = 5; let blocks = (lines.len() + BLOCK_SIZE -1)/BLOCK_SIZE; for i in 0..blocks { let start = i*BLOCK_SIZE; let mut end = start + BLOCK_SIZE; if end > lines.len() { end = lines.len(); } let data = &lines[start..end]; for l in start..end { println!("{:-2}: {}", l, lines[l]); } let qr_code = generate_qr_code("utf8i", data)?; let qr_code = String::from_utf8(qr_code) .map_err(|_| format_err!("Failed to read qr code (got non-utf8 data)"))?; println!("{}", qr_code); println!("{}", char::from(12u8)); // page break } return Ok(()); } println!("-----BEGIN PROXMOX BACKUP KEY-----"); for line in lines { println!("{}", line); } println!("-----END PROXMOX BACKUP KEY-----"); let qr_code = generate_qr_code("utf8i", &lines)?; let qr_code = String::from_utf8(qr_code) .map_err(|_| format_err!("Failed to read qr code (got non-utf8 data)"))?; println!("{}", qr_code); Ok(()) } fn generate_qr_code(output_type: &str, lines: &[String]) -> Result, Error> { let mut child = Command::new("qrencode") .args(&["-t", output_type, "-m0", "-s1", "-lm", "--output", "-"]) .stdin(Stdio::piped()) .stdout(Stdio::piped()) .spawn()?; { let stdin = child.stdin.as_mut() .ok_or_else(|| format_err!("Failed to open stdin"))?; let data = lines.join("\n"); stdin.write_all(data.as_bytes()) .map_err(|_| format_err!("Failed to write to stdin"))?; } let output = child.wait_with_output() .map_err(|_| format_err!("Failed to read stdout"))?; let output = crate::tools::command_output(output, None)?; Ok(output) }