On Jun 20, 2008, at 1:33 AM, John Hemming wrote:
As far as I know, Bacula uses the hybrid encryption method, but it
looks like Bacula encrypts every file with the certificate and not
only the session key, or it uses a new session key for every file.
I further noticed that the average rate went down on small files
with 100% CPU power only on one core, and up on big files
For a given backup job, the same symmetric key is used for all files.
It's encrypted & encoded once for all PKE recipients, and then stored
along-side every backed up file. In other words, you're only paying
for the RSA encryption of the session key once per backup.
The overhead is in file signing. If 'PKI Signatures' is enabled, a
SHA-2 or SHA-256 (requires OpenSSL support) hash is generated, and RSA
signed. This accounts for the vast majority of the encryption
processing time.
This is why you see lower performance on lots of small files, and
higher performance on large files -- the high per-file cost is fixed.
I can see two implementation possibilities for improving performance:
- Use HMAC. This effectively makes the backup forgeable by any entity
who can read the session keys, but this may not be an issue in your
environment.
- Batch signatures, signing multiple files at once. This is very
difficult to achieve in Bacula, as its expected that all components of
a file streams will be stored in neighboring streams (ie, next to each
other in the backup stream).
There's an additional option if you don't require client-side
encryption -- implement encryption in the storage daemon, using
batched multi-block signing. I wrote up most of the work necessary to
do that here:
http://www.mail-archive.com/bacula-users AT lists.sourceforge DOT
net/msg28860.html
Of course, it's also possible to turn PKI Signatures off as a
workaround, but I wouldn't recommend it.
-landonf
PGP.sig
Description: This is a digitally signed message part
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|