On Jul 13, 2008, at 5:17 PM, Chad Netzer wrote:
Looking at the sources (src/filed/filed.c), it appears that enabling
PKI Encryption forces PKI Signing on as well. You can have signing
without encryption, but not the other way around.
Ah. The signing will need to be a ternary (as opposed to binary)
configuration option -- Yes, No, Unset.
If unset and encryption is enabled, enable it -- if explicitly
disabled, leave it disabled.
We are having this problem; when backing up *lots* of small files
(millions) with encryption and signing on, the backup rate drops
drastically. It's the difference between backing up in 1 day vs. 5
days. This is all with spooling on, and with compression on the
client, BTW.
It would be nice to have another, faster integrity option (like the
HMAC previously discussed), or at least be able to disable signing
while keeping encryption on (unless that defeats the security of the
encryption). We aren't worried about transferring the tapes and
checking the authenticity of the files, we mainly want them unusable
if they fall into other hands. We may be switching to tape devices
that do their own encryption, but bacula encryption is easy to
configure and more flexible.
Disabling signing will mean that the backups aren't "tamper-proof",
but it will decrease the runtime overhead tremendously, and requires
only a small patch.
Adding HMAC support would be a reasonably sized coding project, but is
probably the best solution for this particular use-case (short of
being able to sign multiple blocks of files in one go, which Bacula
can't really support).
-landonf
PGP.sig
Description: This is a digitally signed message part
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|