[Box Backup] Unencrypted storage?

Ben Summers boxbackup@fluffy.co.uk
Sun, 5 Dec 2004 13:38:25 +0000

On 4 Dec 2004, at 18:50, Joris wrote:

> Garry Glendown wrote:
>> Joris wrote:
>>> But I can picture a situation where it may mean having to encrypt a 
>>> couple of terrabyte to begin with, and then requiring a backup 
>>> server that's 10 times more powerfull just to be able to handle the 
>>> encryption. All this while the old backup solution's (physical?) 
>>> enviroment provided the neccesairry data confidentiality.
>> Maybe I have misunderstood something here, but Box Backup does NOT 
>> encrypt on the server, but on the client, therefore the server should 
>> have less load than with a centralized encryption ... also, you don't 
>> have to trust the server's (or server operator's) confidentiality, 
>> which may be an issue! (just was at a customer yesterday, where they 
>> put a directory on the Linux box w/ SMB share just for two people, 
>> because they need a local admin that can take care of the Windows box 
>> - but they couldn't keep files from him ... problem was, if he has 
>> access to the local backup of the Linux box, he might be able to 
>> restore the files to a directory he might have access to on user 
>> level ...)
> The place where the encryption happens does not change the fact that 
> it requires extra cpupower, but I indeed somehow got the wrong model 
> in mind while writing the above.

For the archives: Encryption takes place on the client.

(Encrypting on the server would be a very silly thing to do, as it mean 
you have to trust the server. Box Backup requires a server trusted only 
to keep the data safe and obey the protocol.)

> I think my arguments for a encryptionless option are still valid.

If you don't want encryption, then there are other good open source 
projects to consider. Encryption will never be an option in Box Backup:

1) The overhead of symmetric encryption is not great. AES encrypts at 
many Mb per second on modern hardware.

2) I don't want to introduce a second code path in such a critical 
area. Testing would be difficult.

3) I don't want users to be able to turn off encryption, just in case 
they do it by mistake.

On the other hand, I can see that you might not want to bother 
encrypting the link between the server. I have added an entry to my 
feature request list to turn off SSL after the initial authentication, 
for use on local networks.