Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Encryption and hardware compression

2009-10-12 20:50:33
Subject: Re: [Bacula-users] Encryption and hardware compression
From: Cedric Tefft <logicloop AT gmail DOT com>
To: Markus Falb <markus.falb AT fasel DOT at>
Date: Mon, 12 Oct 2009 17:46:47 -0700 
Markus Falb wrote:
> Eric Böse-Wolf wrote:
>
>   
>> Vladimir Doisan <vdoisan AT giantmarkets DOT com> writes:
>>
>>     
>>> If you turn TLS and file encryption - the data will be double encrypted
>>>       
>> If I only turn on file encryption, then the data goes encrypted over the
>> wire or the air, but what is not encrypted?
>>
>> For example what's with the connection cookie the director presents the
>> [FS]D (don't know exactly)?
>>     
>
> Same Question here! In other words: If i do Data Encryption, is it safe 
> to avoid the double encryption by disabling TLS for File Daemon to 
> Storage Daemon Network Communication ?
>
>   
As I understand it, "data encryption" (as the manual uses the term) 
means the FD encrypts the CONTENTS of every file before it's sent to the 
SD.  The SD then stores each file to the backup media as-is (in its 
encrypted form).  No decryption (or encryption for that matter) is done 
by the SD.  File metadata (filename, path, size, permissions, etc.) are 
not encrypted, nor are any other aspects of the communication between 
the FD and SD (commands, negotiation, etc.).

"TLS encryption" refers to encryption of the communication channel 
between the various daemons -- in this case, we're concerned with the 
communication channel between the SD and FD.  With "TLS encryption"  the 
FD encrypts everything it sends to the SD (file contents, metadata, 
commands, etc.) , but unlike "data encryption" the SD decrypts 
everything at the other end.  If you are not also using "data 
encryption" your files get written to the backup media UNencrypted.

So the answer to your question depends on which pieces of your backup 
scheme you consider to be insecure.  If you're worried about someone 
getting hold of your backup media, you need "data encryption".  If 
you're worried about someone eavesdropping on communications between the 
FD and SD, you need "TLS encryption".  And obviously, if you're worried 
about both, you need both.

- Cedric


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Problem inserting into table "batch"?, Markus Falb
Next by Date:  [Bacula-users] How can I identifying "slack" in backup volumes?, Ben Beuchler
Previous by Thread:  Re: [Bacula-users] Encryption and hardware compression, Markus Falb
Next by Thread:  Re: [Bacula-users] Encryption and hardware compression, Cedric Tefft
Indexes:  [Date] [Thread] [Top] [All Lists]