Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] client-side data encryption without routine access to private key

2009-02-18 02:47:09
Subject: Re: [Bacula-users] client-side data encryption without routine access to private key
From: Tom Yates <madlists AT teaparty DOT net>
To: Landon Fuller <landonf AT bikemonkey DOT org>
Date: Wed, 18 Feb 2009 07:44:04 +0000 (GMT) 
On Tue, 17 Feb 2009, Landon Fuller wrote:

> On Feb 17, 2009, at 8:48 AM, Martin Simmons wrote:
>
>> That sounds backwards to me.  Shouldn't the encrypter (backup) use the 
>> public key to keep the data safe?  Then only the decrypter (restore) 
>> can read the data, using the private key.
>
> Right. A symmetric session key is used for each backup run, which is 
> encrypted for all provided public keys and stored along-side the 
> encrypted data. This is how the "master" public key feature is 
> implemented.

Thanks to Martin and Landon both for confirming this.  I was aware of the 
existence of the session key, but stupidly skated over it in my original 
post.

>> The private key is needed during backup if you use PKI Signatures.
>
> Right. Currently, enabling PKI encryption also enables signing, but the 
> encryption implementation does not require this, and the private key is 
> not necessary for encrypting the backups.
>
> However -- if you disable signing, there is no other validation 
> mechanism. One could add HMAC support without too much effort, but you 
> lose non-repudiation of the backups, as any recipient that can verify 
> the HMAC may also generate a valid one.

I can live with that; data authentication isn't as important to me as 
encryption (ie, I'm more worried that real data will get into the wrong 
hands than that wrong data will get into the real hands).

Would you know if I can disable signing in the configuration, or must I 
recompile; and if the latter, is it a config option or will I need to mess 
with the source myself?

Thanks to all who have tried to help me with this so far.


   Tom Yates
   Cambridge, UK.


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] client-side data encryption without routine access to private key, Landon Fuller
Next by Date:  Re: [Bacula-users] Perception of Bacula (was: products based on bacula), Arno Lehmann
Previous by Thread:  Re: [Bacula-users] client-side data encryption without routine access to private key, Landon Fuller
Next by Thread:  Re: [Bacula-users] client-side data encryption without routine access to private key, Martin Simmons
Indexes:  [Date] [Thread] [Top] [All Lists]