Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Performance problem with baculas encryption

2008-07-13 20:17:47
Subject: Re: [Bacula-users] Performance problem with baculas encryption
From: "Chad Netzer" <chad.netzer AT gmail DOT com>
To: bacula-users AT lists.sourceforge DOT net
Date: Sun, 13 Jul 2008 17:17:38 -0700 
This is in response to the following post, although I've only just subscribed:
http://marc.info/?l=bacula-users&m=121409425617977

Landon fuller wrote:
> The overhead is in file signing. If 'PKI Signatures' is enabled, a
> SHA-2 or SHA-256 (requires OpenSSL support) hash is generated, and RSA
> signed. This accounts for the vast majority of the encryption
> processing time.

> Of course, it's also possible to turn PKI Signatures off as a
> workaround, but I wouldn't recommend it.


Looking at the sources (src/filed/filed.c), it appears that enabling
PKI Encryption forces PKI Signing on as well.  You can have signing
without encryption, but not the other way around.

We are having this problem; when backing up *lots* of small files
(millions) with encryption and signing on, the backup rate drops
drastically.  It's the difference between backing up in 1 day vs. 5
days.  This is all with spooling on, and with compression on the
client, BTW.

It would be nice to have another, faster integrity option (like the
HMAC previously discussed), or at least be able to disable signing
while keeping encryption on (unless that defeats the security of the
encryption).  We aren't worried about transferring the tapes and
checking the authenticity of the files, we mainly want them unusable
if they fall into other hands.  We may be switching to tape devices
that do their own encryption, but bacula encryption is easy to
configure and more flexible.

Here are some (abbreviated) speed benchmarks for this setup:

$ openssl speed sha1
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha1             11436.35k    37661.05k   100693.76k   173712.04k   222157.14k

$ openssl speed hmac
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
hmac(md5)        18062.07k    57057.09k   151298.82k   259914.75k   328542.75k

$ openssl speed rsa1024
                  sign    verify    sign/s verify/s
rsa 1024 bits 0.003307s 0.000149s    302.4   6712.7

$ openssl speed rsa2048
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.017241s 0.000442s     58.0   2264.6

$ openssl speed rsa4096
                  sign    verify    sign/s verify/s
rsa 4096 bits 0.102347s 0.001484s      9.8    673.7

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] automatic recycling does not work, John Drescher
Next by Date:  Re: [Bacula-users] Pruned job numbers, orphan file entries, Gregory Orange
Previous by Thread:  [Bacula-users] automatic recycling does not work, Mike
Next by Thread:  Re: [Bacula-users] Performance problem with baculas encryption, Landon Fuller
Indexes:  [Date] [Thread] [Top] [All Lists]