proxmox-backup-client key create -> Read from file or stdin possible ?

[Denny Fuchs]

hi,

is it possible to read the passphrase from a file or from STDIN ?

If I try:

echo secret | proxmox-backup-client key create
or
echo secet | proxmox-backup-client key create -

it fails with:

Error: unable to read passphrase - no tty

cu denny

 

[Denny Fuchs]

hi,

because I have no idea to solve it .. I used a workaround with expect:

#!/bin/bash
# Workaround for input passphrase to proxmox-backup client
# Source: modules/profile/files/base

# Read the settings and passphrase
source  /root/.config/proxmox-backup/secrets

if [ -f /root/.config/proxmox-backup/encryption-key.json ]
then
  echo "Encryption key already exists"
  exit 0
else
  echo "Create proxmox client encryption key"
  /usr/bin/expect <<- DONE
spawn proxmox-backup-client key create
expect "Encryption Key Password:"
send ${PBS_ENCRYPTION_PASSWORD}\r
expect "Verify Password:"
send ${PBS_ENCRYPTION_PASSWORD}\r
expect eof
DONE

fi

The passphrase is inside /root/.config/proxmox-backup/secrets like:

#Managed by Puppet
export PBS_REPOSITORY='backup-client@pbs!backup-client@foo:store-01'
export PBS_PASSWORD="secrettoken"
export PBS_ENCRYPTION_PASSWORD="verystrongpassword"
export PBS_FINGERPRINT=".... 3e:97:87:28:ea:8b:54:92:f1:49:d0"

I need it for our Puppet.

cu denny

 

[dcsapak]

if you want to automate it, why use a key with a passphrase in the first place?

if you do 'proxmox-backup-client key create <path> --kdf none'
a key without passphrase will be generated, then you do not need to provide a passphrase

 

[Denny Fuchs]

hi @dcsapak ,

the question is: why not ? We can have for every node / backup a different passphrase, thanks to Puppet with Hiera + Eyaml. So it would be very nice, to make it possible, to submit a passphrase without stuff like expect.

Also ... maybe you don't want to use the master key .. to add this key to the backup ... than you don't want to store the encryption key, without a passphrase ...

cu denny