Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Performance problem with baculas encryption

2008-07-18 13:12:05
Subject: Re: [Bacula-users] Performance problem with baculas encryption
From: Landon Fuller <landonf AT bikemonkey DOT org>
To: Chad Netzer <chad.netzer AT gmail DOT com>
Date: Fri, 18 Jul 2008 10:11:55 -0700 

On Jul 13, 2008, at 5:17 PM, Chad Netzer wrote:


Looking at the sources (src/filed/filed.c), it appears that enabling
PKI Encryption forces PKI Signing on as well.  You can have signing
without encryption, but not the other way around.
Ah. The signing will need to be a ternary (as opposed to binary) configuration option -- Yes, No, Unset. If unset and encryption is enabled, enable it -- if explicitly disabled, leave it disabled. 


We are having this problem; when backing up *lots* of small files
(millions) with encryption and signing on, the backup rate drops
drastically.  It's the difference between backing up in 1 day vs. 5
days.  This is all with spooling on, and with compression on the
client, BTW.

It would be nice to have another, faster integrity option (like the
HMAC previously discussed), or at least be able to disable signing
while keeping encryption on (unless that defeats the security of the
encryption).  We aren't worried about transferring the tapes and
checking the authenticity of the files, we mainly want them unusable
if they fall into other hands.  We may be switching to tape devices
that do their own encryption, but bacula encryption is easy to
configure and more flexible.
Disabling signing will mean that the backups aren't "tamper-proof", but it will decrease the runtime overhead tremendously, and requires only a small patch.
Adding HMAC support would be a reasonably sized coding project, but is probably the best solution for this particular use-case (short of being able to sign multiple blocks of files in one go, which Bacula can't really support). 

-landonf

Attachment: PGP.sig
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] multidrive autochanger use, John Drescher
Next by Date:  [Bacula-users] restore failed - Medium Error?, Thomas Mueller
Previous by Thread:  Re: [Bacula-users] Performance problem with baculas encryption, Chad Netzer
Next by Thread:  [Bacula-users] Backuping MS SQL, Marek Simon
Indexes:  [Date] [Thread] [Top] [All Lists]