mirror of
https://github.com/zrepl/zrepl.git
synced 2024-11-27 02:45:20 +01:00
WIP: fix encrypt-on-recv
fixes https://github.com/zrepl/zrepl/issues/504
This commit is contained in:
parent
bcfcd7a134
commit
6ccaf3b902
@ -90,6 +90,40 @@ func ZFSCreatePlaceholderFilesystem(ctx context.Context, fs *DatasetPath, parent
|
|||||||
"-o", fmt.Sprintf("%s=%s", PlaceholderPropertyName, placeholderPropertyOn),
|
"-o", fmt.Sprintf("%s=%s", PlaceholderPropertyName, placeholderPropertyOn),
|
||||||
"-o", "mountpoint=none",
|
"-o", "mountpoint=none",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// xxx handle encryption not supported
|
||||||
|
props, err := zfsGet(ctx, parent.ToString(), []string{"keystatus"}, SourceAny)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrap(err, "cannot determine key status")
|
||||||
|
}
|
||||||
|
keystatus := props.Get("keystatus") // xxx ability to distringuish `-` from ``
|
||||||
|
if keystatus == "" {
|
||||||
|
// parent is unencrypted => placeholder inherits encryption
|
||||||
|
} else if keystatus == "available" {
|
||||||
|
// parent is encrypted but since the key is loaded we can create an encrypted placeholder dataset
|
||||||
|
// without `-o encryption=off`
|
||||||
|
} else if keystatus == "unavailable" {
|
||||||
|
// parent is encrypted but keys are not loaded, either because
|
||||||
|
// 1) it's a send-encrypted dataset, or because
|
||||||
|
// 2) the user forgot to zfs load-key the root_fs or above
|
||||||
|
// In both cases we can't create an encrypted placeholder dataset.
|
||||||
|
// In case 1), we want to create an unencrypted placeholder through `-o encryption=off`.
|
||||||
|
// In case 2), `-o encryption=off` is harmful security-wise because it breaks the encrypt-on-receiver use case (https://github.com/zrepl/zrepl/issues/504)
|
||||||
|
// I.e., all children of the placeholder won't be encrypted because they inherit encryption=off
|
||||||
|
//
|
||||||
|
// => we could attempt to distinguish the cases by being more context sensitive
|
||||||
|
// (i.e., check whether the encryption root is root_fs or a parent thereof)
|
||||||
|
// However, that's always going to be imprecise, and a wrong decision there is harmful security-wise.
|
||||||
|
//
|
||||||
|
// => thus the safe choice is to never use `-o encryption=off` by default
|
||||||
|
// only if we know for sure that the stream is encrypted should we create placeholders with `-o encryption=off`
|
||||||
|
// => this knowledge can be achieved through one of the following means:
|
||||||
|
// a) have the sender indicate it to us in the RPC request (it's ok to trust them in this particular case since lying only hurts _their_ data's confidentiality)
|
||||||
|
// b) have the user acknowledge it in the receiver config
|
||||||
|
} else {
|
||||||
|
return errors.Errorf("unknown keystatus value %q for dataset %q", keystatus, parent.ToString())
|
||||||
|
}
|
||||||
|
|
||||||
if parentEncrypted, err := ZFSGetEncryptionEnabled(ctx, parent.ToString()); err != nil {
|
if parentEncrypted, err := ZFSGetEncryptionEnabled(ctx, parent.ToString()); err != nil {
|
||||||
return errors.Wrap(err, "cannot determine encryption support")
|
return errors.Wrap(err, "cannot determine encryption support")
|
||||||
} else if parentEncrypted {
|
} else if parentEncrypted {
|
||||||
|
Loading…
Reference in New Issue
Block a user