tape encryption, some metadata in the clear?

[guerby]

Hi,

Continuing testing of Dell TL4000 tape library with PBS 3.1.2 :

- I made a few tape backup with an encryption key.
- I removed all the files in /var/lib/proxmox-backup/tape/ (inventory.json and the UUID.log and .index)
- I removed the media pool and encryption key
- (the two step above are for simulating a total loss of PBS configuration while still having the tapes)
- I ran an "inventory" from the changer
- I imported the encryption key from one tape and gave the password when asked
- I restored a few vm from the tapes successfully

I noted that after running the inventory and before I gave the password I could get a list of snapshots like "vm/287/2023-01-07T08:18:34" and the media pool name.

Still before I gave the password restoring failed because of encryption, as expected.

If I'm not mistaken it means some metadata is in clear on the tape and not encrypted, am I right?

I assume the "catalog" from a tape is unencrypted and cached in /var/lib/proxmox-backup/tape/UUID.log, is there a documentation of what is stored there?

Thanks!

 

[dcsapak]

Hi,

sorry for the late answer, but just FYI, this has not been forgotten and I'm looking into this closer

 

[guerby]

Hi,

sorry for the late answer, but just FYI, this has not been forgotten and I'm looking into this closer

Thanks!

 

[guerby]

Hi,

sorry for the late answer, but just FYI, this has not been forgotten and I'm looking into this closer

Hi,

A little ping on this topic.

I can open a bugzilla or a proxmox ticket if this helps (we have basic support on two of our PBS servers but not on the tape test server though), let me know.

Thanks!