Cedric Tefft wrote: > Markus Falb wrote: >> Eric Böse-Wolf wrote: >> >> >>> Vladimir Doisan <vdoi...@giantmarkets.com> writes: >>> >>> >>>> If you turn TLS and file encryption - the data will be double >>>> encrypted >>>> >>> If I only turn on file encryption, then the data goes encrypted over >>> the >>> wire or the air, but what is not encrypted? >>> >>> For example what's with the connection cookie the director presents the >>> [FS]D (don't know exactly)? >>> >> >> Same Question here! In other words: If i do Data Encryption, is it >> safe to avoid the double encryption by disabling TLS for File Daemon >> to Storage Daemon Network Communication ? >> >> > As I understand it, "data encryption" (as the manual uses the term) > means the FD encrypts the CONTENTS of every file before it's sent to > the SD. The SD then stores each file to the backup media as-is (in > its encrypted form). No decryption (or encryption for that matter) is > done by the SD. File metadata (filename, path, size, permissions, > etc.) are not encrypted, nor are any other aspects of the > communication between the FD and SD (commands, negotiation, etc.). > > "TLS encryption" refers to encryption of the communication channel > between the various daemons -- in this case, we're concerned with the > communication channel between the SD and FD. With "TLS encryption" > the FD encrypts everything it sends to the SD (file contents, > metadata, commands, etc.) , but unlike "data encryption" the SD > decrypts everything at the other end. If you are not also using "data > encryption" your files get written to the backup media UNencrypted. > > So the answer to your question depends on which pieces of your backup > scheme you consider to be insecure. If you're worried about someone > getting hold of your backup media, you need "data encryption". If > you're worried about someone eavesdropping on communications between > the FD and SD, you need "TLS encryption". And obviously, if you're > worried about both, you need both. > Actually, now that I re-read it, I realize that last bit was a little misleading, so I'll try to clarify:
If you're using "data encryption" ONLY (i.e. not in conjunction with TLS encryption), anyone who can eavesdrop on the communication between your SD and FD will NOT have access to the unencrypted contents of your files. However, he WILL have access to the names of those files as well as size, permissions, timestamp, etc. If that doesn't concern you, "data encryption" alone might be what you want, although I'd recommend you think very carefully before going that route. A sophisticated hacker could potentially use the unencrypted metadata as the basis of an attack. - Cedric ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users