Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Performance problem with baculas encryption system

2008-06-21 20:24:13
Subject: Re: [Bacula-users] Performance problem with baculas encryption system
From: Landon Fuller <landonf AT bikemonkey DOT org>
To: John Hemming <johnhemming1 AT googlemail DOT com>
Date: Sat, 21 Jun 2008 17:23:58 -0700 

On Jun 20, 2008, at 1:33 AM, John Hemming wrote:
As far as I know, Bacula uses the hybrid encryption method, but it looks like Bacula encrypts every file with the certificate and not only the session key, or it uses a new session key for every file. I further noticed that the average rate went down on small files with 100% CPU power only on one core, and up on big files
For a given backup job, the same symmetric key is used for all files. It's encrypted & encoded once for all PKE recipients, and then stored along-side every backed up file. In other words, you're only paying for the RSA encryption of the session key once per backup.
The overhead is in file signing. If 'PKI Signatures' is enabled, a SHA-2 or SHA-256 (requires OpenSSL support) hash is generated, and RSA signed. This accounts for the vast majority of the encryption processing time.
This is why you see lower performance on lots of small files, and higher performance on large files -- the high per-file cost is fixed. 

I can see two implementation possibilities for improving performance:
- Use HMAC. This effectively makes the backup forgeable by any entity who can read the session keys, but this may not be an issue in your environment. - Batch signatures, signing multiple files at once. This is very difficult to achieve in Bacula, as its expected that all components of a file streams will be stored in neighboring streams (ie, next to each other in the backup stream).
There's an additional option if you don't require client-side encryption -- implement encryption in the storage daemon, using batched multi-block signing. I wrote up most of the work necessary to do that here: 
        http://www.mail-archive.com/bacula-users AT lists.sourceforge DOT 
net/msg28860.html
Of course, it's also possible to turn PKI Signatures off as a workaround, but I wouldn't recommend it. 

-landonf

Attachment: PGP.sig
Description: This is a digitally signed message part

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Using bextract of windows backup without portable=yes, Arno Lehmann
Next by Date:  Re: [Bacula-users] create volumes from autochanger slots, without label, Alan Brown
Previous by Thread:  [Bacula-users] Performance problem with baculas encryption system, John Hemming
Next by Thread:  Re: [Bacula-users] Performance problem with baculas encryption system, John Hemming
Indexes:  [Date] [Thread] [Top] [All Lists]