Backup Speed with Encryption
125 views
Skip to first unread message
Benji Philpott
Aug 1, 2022, 10:45:48 AM8/1/22
to bareos-users
Hi,
I am using BareOS 21 and one client, we have an image server, meaning lots of small files. It is a Windows server and I am backing up the files. When I perform a full backup with encryption it takes approx 31 hours (approx 220GB of data in 5.8 million files). However, if I do not use encryption it takes about 15-16 hours to complete.
I have this in my config on the FD on the client server:
PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "C:/ProgramData/Bareos/bareos-fd.d/keys/serverclient-fd.pem"
PKI Master Key = "C:/ProgramData/Bareos/bareos-fd.d/keys/master.pub.key"
PKI Cipher = aes256
For my servers with larger files, there is not much difference in backup times. I prefer to use encryption, of course, but this one server really slows down my backup and makes updates/reboots difficult so I don't interrupt the backups. Is there anything I can do to increase the speed of my backup while still employing encryption?
I am using BareOS 21 and one client, we have an image server, meaning lots of small files. It is a Windows server and I am backing up the files. When I perform a full backup with encryption it takes approx 31 hours (approx 220GB of data in 5.8 million files). However, if I do not use encryption it takes about 15-16 hours to complete.
I have this in my config on the FD on the client server:
PKI Signatures = Yes
PKI Encryption = Yes
PKI Keypair = "C:/ProgramData/Bareos/bareos-fd.d/keys/serverclient-fd.pem"
PKI Master Key = "C:/ProgramData/Bareos/bareos-fd.d/keys/master.pub.key"
PKI Cipher = aes256
For my servers with larger files, there is not much difference in backup times. I prefer to use encryption, of course, but this one server really slows down my backup and makes updates/reboots difficult so I don't interrupt the backups. Is there anything I can do to increase the speed of my backup while still employing encryption?
Bruno Friedmann
Aug 2, 2022, 3:26:12 AM8/2/22
to bareos-users
Did you check if this Virtual Machine can handle aes natively (by passing cpu component from the host to the VM). Maybe this is can help.
Benji Philpott
Aug 2, 2022, 9:12:43 AM8/2/22
to bareos-users
Hi, thank you for the reply.
This one is actually a physical server, so I would assume the Xeon should handle aes natively, but that is something to look into.
On Tuesday, August 2, 2022 at 2:26:12 AM UTC-5 Bruno Friedmann wrote:
Did you check if this Virtual Machine can handle aes natively (by passing cpu component from the host to the VM). Maybe this is can help.
Andreas Rogge
Sep 19, 2022, 4:20:18 AM9/19/22
to bareos...@googlegroups.com
Hi,
I understand I'm somewhat late to the party, but when I hear performance
issue in combination with Windows and small files I have to ask: do you
have a virus scanner installed on that machine? Does it check every file
when the FD looks at them?
Best Regards,
Andreas
--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, Philipp Storz
I understand I'm somewhat late to the party, but when I hear performance
issue in combination with Windows and small files I have to ask: do you
have a virus scanner installed on that machine? Does it check every file
when the FD looks at them?
Best Regards,
Andreas
--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: S. Dühr, M. Außendorf, J. Steffens, Philipp Storz
Benji Philpott
Sep 19, 2022, 9:52:35 AM9/19/22
to bareos-users
I do have AV and I'm sure it is scanning all activity. I think I did exempt the AV software. I eventually just had to make that server unencrypted backups and encrypted everything else.
Markus Baumann
Apr 17, 2026, 4:46:55 AM (9 days ago) Apr 17
to bareos-users
Hi all,
I am pretty new to Bareos and I try to setup tape backup on a test machine.
I have the tape changer running and backup from windows and linux server working.
Now I want to have the files encrypted on the tape.
According to the documentation I tried it with the local FD, but as soon as I put some config parameter related to the encryption into my config file, I get the following error:
Apr 17 10:39:15 bareos bareos-dir[1302]: bareos-dir: CONFIG ERROR at lib/parse_conf_state_machine.cc:162
Apr 17 10:39:15 bareos bareos-dir[1302]: Config error: Keyword "PKIKeypair" not permitted in this resource.
Apr 17 10:39:15 bareos bareos-dir[1302]: Perhaps you left the trailing brace off of the previous resource.
Apr 17 10:39:15 bareos bareos-dir[1302]: : line 9, col 18 of file /etc/bareos/bareos-dir.d/client/bareos-fd.conf
Apr 17 10:39:15 bareos bareos-dir[1302]: PKI Keypair = /etc/bareos/bac02muc-fd.pem # Public and Private Keys in one file
Apr 17 10:39:15 bareos systemd[1]: bareos-director.service: Main process exited, code=exited, status=42/n/a
Apr 17 10:39:15 bareos systemd[1]: bareos-director.service: Failed with result 'exit-code'.
Apr 17 10:39:15 bareos bareos-dir[1302]: Config error: Keyword "PKIKeypair" not permitted in this resource.
Apr 17 10:39:15 bareos bareos-dir[1302]: Perhaps you left the trailing brace off of the previous resource.
Apr 17 10:39:15 bareos bareos-dir[1302]: : line 9, col 18 of file /etc/bareos/bareos-dir.d/client/bareos-fd.conf
Apr 17 10:39:15 bareos bareos-dir[1302]: PKI Keypair = /etc/bareos/bac02muc-fd.pem # Public and Private Keys in one file
Apr 17 10:39:15 bareos systemd[1]: bareos-director.service: Main process exited, code=exited, status=42/n/a
Apr 17 10:39:15 bareos systemd[1]: bareos-director.service: Failed with result 'exit-code'.
What am I doing wrong?
Config is:
# encryption configuration
# PKI Signatures = Yes # Enable Data Signing
# PKI Encryption = Yes # Enable Data Encryption
PKI Keypair = /etc/bareos/client-fd.pem # Public and Private Keys in one file
PKI Master Key = /etc/bareos/master.pub.key # ONLY the Public Key
PKI Cipher = aes128 # specify desired PKI Cipher here
# PKI Signatures = Yes # Enable Data Signing
# PKI Encryption = Yes # Enable Data Encryption
PKI Keypair = /etc/bareos/client-fd.pem # Public and Private Keys in one file
PKI Master Key = /etc/bareos/master.pub.key # ONLY the Public Key
PKI Cipher = aes128 # specify desired PKI Cipher here
It would be great if someone could point me in the right direction.
Thanks in advance...
Markus
Benji Philpott
Apr 17, 2026, 9:52:13 AM (8 days ago) Apr 17
to bareos-users
I believe you need to uncomment
# PKI Signatures = Yes # Enable Data Signing
# PKI Encryption = Yes # Enable Data Encryption
# PKI Encryption = Yes # Enable Data Encryption
Markus Baumann
Apr 20, 2026, 12:02:15 PM (5 days ago) Apr 20
to bareos-users
Hi Benji,
PKI Signatures = Yes # Enable Data Signing
PKI Cipher = aes128 # specify desired PKI Cipher here
thansk for Your reply. I tried that in the first step, but then I had the message in journal that the config option "
PKI Signatures" is not permitted:
bareos-dir.d/client/bareos-fd.conf
# encryption configuration
PKI Signatures = Yes # Enable Data Signing
PKI Encryption = Yes # Enable Data Encryption
PKI Keypair = /etc/bareos/bac02muc-fd.pem # Public and Private Keys in one file
PKI Master Key = /etc/bareos/vbac04muc_master.pub.key # ONLY the Public Key
PKI Cipher = aes128 # specify desired PKI Cipher here
After service restart:
Apr 20 18:00:10 bareos systemd[1]: Started bareos-director.service - Bareos Director Daemon service.
Apr 20 18:00:10 bareos bareos-dir[25801]: bareos-dir: CONFIG ERROR at lib/parse_conf_state_machine.cc:162
Apr 20 18:00:10 bareos bareos-dir[25801]: Config error: Keyword "PKISignatures" not permitted in this resource.
Apr 20 18:00:10 bareos bareos-dir[25801]: Perhaps you left the trailing brace off of the previous resource.
Apr 20 18:00:10 bareos bareos-dir[25801]: : line 7, col 18 of file /etc/bareos/bareos-dir.d/client/bareos-fd.conf
Apr 20 18:00:10 bareos bareos-dir[25801]: PKI Signatures = Yes # Enable Data Signing
Apr 20 18:00:10 bareos systemd[1]: bareos-director.service: Main process exited, code=exited, status=42/n/a
Apr 20 18:00:10 bareos systemd[1]: bareos-director.service: Failed with result 'exit-code'.
Apr 20 18:00:10 bareos bareos-dir[25801]: bareos-dir: CONFIG ERROR at lib/parse_conf_state_machine.cc:162
Apr 20 18:00:10 bareos bareos-dir[25801]: Config error: Keyword "PKISignatures" not permitted in this resource.
Apr 20 18:00:10 bareos bareos-dir[25801]: Perhaps you left the trailing brace off of the previous resource.
Apr 20 18:00:10 bareos bareos-dir[25801]: : line 7, col 18 of file /etc/bareos/bareos-dir.d/client/bareos-fd.conf
Apr 20 18:00:10 bareos bareos-dir[25801]: PKI Signatures = Yes # Enable Data Signing
Apr 20 18:00:10 bareos systemd[1]: bareos-director.service: Main process exited, code=exited, status=42/n/a
Apr 20 18:00:10 bareos systemd[1]: bareos-director.service: Failed with result 'exit-code'.
Hmmm. Could it be that its not compiled into the binary? I am using Debian.
Thanks!
Benji Philpott
Apr 20, 2026, 12:24:42 PM (5 days ago) Apr 20
to bareos-users
Are you using the version of Debian repo or are you using the Bareos upstream version? I'm using the upstream version (but a couple versions behind), but if you are using the debian version it may be older and not supported or just not compiled in like you said.
Bruno Friedmann (bruno-at-bareos)
Apr 21, 2026, 3:10:51 AM (5 days ago) Apr 21
to bareos-users
PKI Signatures is a FD option not a DIR that's why you dir shout at you :-)
So the example you shown belong to /etc/bareos/bareos-fd.d/client/myself.conf and not /etc/bareos/bareos-dir.d/client/clientX.conf
See also
BUT
You have requested "Now I want to have the files encrypted on the tape." Maybe you confused yourself, as normally tapes can do the encryption by themselves
if you use this plugin
That mean the tapes are encrypted, but not the data in. After you can do both, but that hit performance and compression.
Markus Baumann
Apr 21, 2026, 2:56:44 PM (4 days ago) Apr 21
to bareos-users
Hi Bruno,
that was it. :-) Thank You so much!
I put the config into the correct file and it started without errors.
Also thank You for the link to the tape encryption plugin! There is only one thing I am worried about:
what happens in a disaster recovery situation? Supposed the backup server and the tape cannot be used for restore, how would it then be possible to decrypt the tapes?
I will try that out and report back here... :-)
Thank You!
Bruno Friedmann (bruno-at-bareos)
Apr 22, 2026, 3:09:14 AM (4 days ago) Apr 22
to bareos-users
Hi Markus, glad you finally sort it out.
Congratulation, you step over the most difficult part of Bareos ;-)
With tape encryption and DR, we usually check with customer their capability to store the main KEK and wrappred tapes key at another secure location in one or other encrypted container.
Please check the disaster recovery chapter. If you have the BackupCatalog job (so the DB + configuration files) and the encrypted tapes you should be safe for an easy recovery.
The super bare minimal is to have the configuration so the main KEK + the dump of the wrapped key tapes from the db. You can then load the key in a drive, load a tape, read its content (catalog bsr) extract the dump and restore the db.
But all of this is more difficult and time consuming when you have to react quickly.
Reply all
Reply to author
Forward
0 new messages