From 1629b483e2fc65920bb3dae54b1f124ff7c3f11c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 16 Aug 2022 13:52:38 +0200
Subject: [PATCH] vzdump/pbs: die with missing, but configured master key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

the created backups are encrypted, but are not restorable with the
master key in case the original PVE system is lost.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/VZDump/QemuServer.pm | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
index 0738051d..202e53dd 100644
--- a/PVE/VZDump/QemuServer.pm
+++ b/PVE/VZDump/QemuServer.pm
@@ -554,9 +554,13 @@ sub archive_pbs {
 	    $self->loginfo("enabling encryption");
 	    $params->{keyfile} = $keyfile;
 	    $params->{encrypt} = JSON::true;
-	    if (defined($master_keyfile) && -e $master_keyfile) {
-		$self->loginfo("enabling master key feature");
-		$params->{"master-keyfile"} = $master_keyfile;
+	    if (defined($master_keyfile)) {
+		if (-e $master_keyfile) {
+		    $self->loginfo("enabling master key feature");
+		    $params->{"master-keyfile"} = $master_keyfile;
+		} elsif ($scfg->{'master-pubkey'}) {
+		    die "master public key configured but no key file found\n";
+		}
 	    }
 	} else {
 	    my $encryption_fp = $scfg->{'encryption-key'};