MatheMatrix · zstack-robot-2 · Jun 14, 2026
diff --git a/plugin/ceph/src/main/java/org/zstack/storage/ceph/primary/CephPrimaryStorageBase.java b/plugin/ceph/src/main/java/org/zstack/storage/ceph/primary/CephPrimaryStorageBase.java
@@ -463,6 +463,19 @@ public static class KVMHostLuksConvertCmd implements Serializable {
         public Long virtualSize;
     }
 
+    public static class KVMHostImageStoreEncryptedDownloadCmd implements Serializable {
+        public String psUuid;
+        public String hostname;
+        public String backupStorageInstallPath;
+        public String primaryStorageInstallPath;
+        public int concurrency;
+        public String keyProviderUuid;
+        public Integer keyVersion;
+        public String cipher;
+        @NoLogging
+        public String encryptedDek;
+    }
+
     public static class KVMHostEncryptInPlaceCmd implements Serializable {
         public String psUuid;
         @NoLogging
@@ -1420,6 +1433,7 @@ public int compareTo(SnapInfo snapInfo) {
     public static final String KVM_HOST_LUKS_ENCRYPT_IN_PLACE_PATH = "/ceph/primarystorage/kvmhost/encryptinplace";
     public static final String KVM_HOST_LUKS_RESIZE_PATH = "/ceph/primarystorage/kvmhost/luksresize";
     public static final String KVM_HOST_LUKS_CONVERT_PATH = "/ceph/primarystorage/kvmhost/luksconvert";
+    public static final String KVM_HOST_IMAGESTORE_ENCRYPTED_DOWNLOAD_PATH = "/ceph/primarystorage/kvmhost/imagestore/encrypteddownload";
     public static final String FLATTEN_PATH = "/ceph/primarystorage/volume/flatten";
     public static final String SFTP_DOWNLOAD_PATH = "/ceph/primarystorage/sftpbackupstorage/download";
     public static final String SFTP_UPLOAD_PATH = "/ceph/primarystorage/sftpbackupstorage/upload";

diff --git a/storage/src/main/java/org/zstack/storage/encrypt/DummyVolumeEncryptedResourceKeyBackend.java b/storage/src/main/java/org/zstack/storage/encrypt/DummyVolumeEncryptedResourceKeyBackend.java
@@ -56,6 +56,11 @@ public boolean checkTemporarySnapshotImageKeyProviderAttached(String imageUuid)
         return false;
     }
 
+    @Override
+    public boolean checkBackupKeyProviderAttached(String backupUuid) {
+        return false;
+    }
+
     @Override
     public void copyVolumeKeyToSnapshot(String volumeUuid, String snapshotUuid) {
         logger.debug(String.format("ignore copy volume[uuid:%s] key to snapshot[uuid:%s]", volumeUuid, snapshotUuid));
@@ -86,6 +91,16 @@ public void copyVolumeKeyToBackup(String volumeUuid, String backupUuid) {
         logger.debug(String.format("ignore copy volume[uuid:%s] key to backup[uuid:%s]", volumeUuid, backupUuid));
     }
 
+    @Override
+    public void copyBackupKeyToTemporarySnapshotImage(String backupUuid, String imageUuid) {
+        logger.debug(String.format("ignore copy backup[uuid:%s] key to temporary snapshot image[uuid:%s]", backupUuid, imageUuid));
+    }
+
+    @Override
+    public void copyBackupKeyToVolume(String backupUuid, String volumeUuid) {
+        logger.debug(String.format("ignore copy backup[uuid:%s] key to volume[uuid:%s]", backupUuid, volumeUuid));
+    }
+
     @Override
     public String defaultKeyProviderUuid() {
         return null;

diff --git a/storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedInitialExtension.java b/storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedInitialExtension.java
@@ -80,6 +80,13 @@ private void inheritTemporaryRootVolumeKeyFromOrigin(InstantiateVolumeMsg msg, V
             return;
         }
 
+        // A backup or snapshot temporary image can already provide the target root
+        // volume key. Keep that key as the source of truth; falling back to the
+        // origin root would overwrite it or fail if the origin key binding is gone.
+        if (volumeEncryptedResourceKeyBackend.checkVolumeKeyProviderAttached(volume.getUuid())) {
+            return;
+        }
+
         String originVolumeUuid = ((InstantiateTemporaryRootVolumeMsg) msg).getOriginVolumeUuid();
         if (StringUtils.isBlank(originVolumeUuid)) {
             return;

diff --git a/storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedResourceKeyBackend.java b/storage/src/main/java/org/zstack/storage/encrypt/VolumeEncryptedResourceKeyBackend.java
@@ -40,6 +40,8 @@ public interface VolumeEncryptedResourceKeyBackend {
 
     boolean checkTemporarySnapshotImageKeyProviderAttached(String imageUuid);
 
+    boolean checkBackupKeyProviderAttached(String backupUuid);
+
     void copyVolumeKeyToSnapshot(String volumeUuid, String snapshotUuid);
 
     void copySnapshotKeyToVolume(String snapshotUuid, String volumeUuid);
@@ -52,6 +54,10 @@ public interface VolumeEncryptedResourceKeyBackend {
 
     void copyVolumeKeyToBackup(String volumeUuid, String backupUuid);
 
+    void copyBackupKeyToTemporarySnapshotImage(String backupUuid, String imageUuid);
+
+    void copyBackupKeyToVolume(String backupUuid, String volumeUuid);
+
     /**
      * Global default key provider uuid, or null (e.g. NONE / crypto not installed).
      */