Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Copy SD to SD with data encryption

2014-06-09 09:08:29
Subject: Re: [Bacula-users] Copy SD to SD with data encryption
From: Josh Fisher <jfisher AT pvct DOT com>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 09 Jun 2014 09:04:42 -0400 
On 6/9/2014 6:53 AM, Josip Deanovic wrote:
> Quoting message written on Monday 2014-06-09 12:26:45:
>> Hello Josip,
>>
>> I am not sure it is possible to implement what you want.  The PKI
>> encryption is Client based, thus unless the real (or original) Client
>> (FD) is involved, it is impossible to perform or change data encryption
>> in any way.  SD->SD transfers are only Copy and Migration jobs and not
>> original backups involving the Client, so there is no way the SD can do
>> anything with data encryption other than reading the data and either
>> sending it unmodified to an FD or writing it on some Volume.
>>
>> Best regards,
>> Kern
> Hi Kern, thank you for your response.
>
> Considering the complexity of the task required to achieve my goal
> I have decided to create a workaround about this problem using
> encrypted network block device presented through an encrypted tunnel.

These are two different things. If you only want to encrypt the data 
transmission on the wire, then a tunnel can be used and there is no need 
to use Bacula's PKI encryption. If you want the data encrypted on the 
storage media, then you must use Bacula's PKI encryption and there is 
little/no need for a tunnel.

The only place I suppose SD-SD encryption would be useful is when the 
client sends plaintext to one SD, then that SD encrypts when copying to 
a second SD. But that will not work as expected. The second SD does not 
have the first SD's private key and therefore cannot decrypt in order to 
restore plaintext to the client. The client could only restore from the 
first SD. The only way this can work is if there is a single private key 
that all SDs use, and if you think on it, that negates the need for 
SD-SD encryption.

If all SDs have the same key, then why not just have the first SD 
encrypt the client's data in the first place? This then amounts to 
server-side PKI, as opposed to client-side PKI. I see no reason both 
could not coexist, but server-side PKI cannot be as safe as client-side 
PKI.


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://www.hpccsystems.com
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Copy SD to SD with data encryption, Josip Deanovic
Next by Date:  [Bacula-users] encryption and deduplication?, Gonçal Badenes
Previous by Thread:  Re: [Bacula-users] Copy SD to SD with data encryption, Josip Deanovic
Next by Thread:  Re: [Bacula-users] Copy SD to SD with data encryption, Josip Deanovic
Indexes:  [Date] [Thread] [Top] [All Lists]