Re: new feature: client-side, server-side encryption dumptype option
2005-12-19 10:10:28
In 2.4, there is a "kencrypt" option that uses Kerberos to negotiate a
session key and encrypts the dumps from the client to the server.
They are then in the clear on the holding disk and tape. This
protects against eavesdroppers on the wire, but not someone who can
get the tapes. At the same time, it doesn't threaten the availability
of backups at all, since there is no long-term key management problem.
It would be nice to use the word 'encrypt' and variations like
kencrypt to mean only transport-level encryption, and use some other
word for applying encryption to dumps at a client that is expected to
end up on the tape. While using similar mechanisms, these are very
different concepts with very different consequences.
--
Greg Troxel <gdt AT ir.bbn DOT com>
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
Re: new feature: client-side, server-side encryption dumptype option, Josef Wolf
- Re: new feature: client-side, server-side encryption dumptype option, Kevin Till
- Re: new feature: client-side, server-side encryption dumptype option,
Greg Troxel <=
- Re: new feature: client-side, server-side encryption dumptype option, Kevin Till
- Re: new feature: client-side, server-side encryption dumptype option, Greg Troxel
- Re: new feature: client-side, server-side encryption dumptype option, Josef Wolf
- Re: new feature: client-side, server-side encryption dumptype option, Greg Troxel
- Re: new feature: client-side, server-side encryption dumptype option, Josef Wolf
- Re: new feature: client-side, server-side encryption dumptype option, Greg Troxel
- Re: new feature: client-side, server-side encryption dumptype option, Josef Wolf
- Re: new feature: client-side, server-side encryption dumptype option, Jon LaBadie
- Re: new feature: client-side, server-side encryption dumptype option, Josef Wolf
- Re: new feature: client-side, server-side encryption dumptype option, Chris Lee
|
|
|