>>>>> On Wed, 14 Aug 2019 15:40:29 +0200, Radosław Korzeniewski said: > > > Hello, > > śr., 14 sie 2019 o 13:41 Josh Fisher <jfis...@pvct.com> napisał(a): > > > > > On 8/14/2019 6:22 AM, Radosław Korzeniewski wrote: > > > > Hello, > > > > niedz., 11 sie 2019 o 14:35 Lauri Kiiski <lauri.kii...@iki.fi> napisał(a): > > > > > >> > >> - Encrypt disks on the machines having these components: File Daemon, > >> Director, Catalog, Storage Daemon, Physical Media > >> > > > > Eeeee, I do not understand. What do you want to keep secret? > > > > Did you know that a double encryption does not increase the security level? > > > > > > > > That is a bit inaccurate. It is equivalent to increasing the key size by > > one bit. It has been used before, as in the case of 3DES (triple DES). DES > > used a 56-bit key and eventually could be broken by brute force on a simple > > PC, so as a stop-gap they applied the same 56-bit key algorithm tree times, > > so increased the effective key size from 2^56 to 2^58. So it generally > > isn't worth it, but it does increase security a little bit. > > > OK, it increases security a little bit. :) > It is a very small amount, so it could be safely ignored. :) > > > I think, though, that Lauri is referring to encrypt the metadata that is > > stored unencrypted in a disk volume by somehow encrypting the whole disk. > > > This is a main point! When he encrypt the whole filesystem then it is > useless (and time consuming) to double encrypt backup data with Bacula.
Doesn't that depend on the relative secrecy of the data v.s. the metadata? If the data is much more secret then it might be worthwhile to encrypt it (on the client) in case the SD's filesystem can be read while the disk is mounted (i.e. when it is not protected by the encrypted filesystem). __Martin _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
