This is in response to the following post, although I've only just subscribed:
http://marc.info/?l=bacula-users&m=121409425617977
Landon fuller wrote:
> The overhead is in file signing. If 'PKI Signatures' is enabled, a
> SHA-2 or SHA-256 (requires OpenSSL support) hash is generated, and RSA
> signed. This accounts for the vast majority of the encryption
> processing time.
> Of course, it's also possible to turn PKI Signatures off as a
> workaround, but I wouldn't recommend it.
Looking at the sources (src/filed/filed.c), it appears that enabling
PKI Encryption forces PKI Signing on as well. You can have signing
without encryption, but not the other way around.
We are having this problem; when backing up *lots* of small files
(millions) with encryption and signing on, the backup rate drops
drastically. It's the difference between backing up in 1 day vs. 5
days. This is all with spooling on, and with compression on the
client, BTW.
It would be nice to have another, faster integrity option (like the
HMAC previously discussed), or at least be able to disable signing
while keeping encryption on (unless that defeats the security of the
encryption). We aren't worried about transferring the tapes and
checking the authenticity of the files, we mainly want them unusable
if they fall into other hands. We may be switching to tape devices
that do their own encryption, but bacula encryption is easy to
configure and more flexible.
Here are some (abbreviated) speed benchmarks for this setup:
$ openssl speed sha1
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 11436.35k 37661.05k 100693.76k 173712.04k 222157.14k
$ openssl speed hmac
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
hmac(md5) 18062.07k 57057.09k 151298.82k 259914.75k 328542.75k
$ openssl speed rsa1024
sign verify sign/s verify/s
rsa 1024 bits 0.003307s 0.000149s 302.4 6712.7
$ openssl speed rsa2048
sign verify sign/s verify/s
rsa 2048 bits 0.017241s 0.000442s 58.0 2264.6
$ openssl speed rsa4096
sign verify sign/s verify/s
rsa 4096 bits 0.102347s 0.001484s 9.8 673.7
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|