|
The add-on encryption module encrypts archives as they are created. Unlike the existing end-to-end encryption, archives remain encrypted while on tape or stage disk. Encrypted archives are compatible with older versions of BRU Desktop (which will report an empty archive).
BRU-Server 2.0 uses the high-speed Phelix cipher developed by Whiting, Schneier, Lucks and Muller. Phelix includes a fused MAC (Message Authentication Code) that is used to confirm archive integrity. TOLIS Group uses the original x86 assembler implemention and has additionally implemented Phelix for x86-64 and PowerPC processors, donating these implementations to the public domain.
The throughput of the x86-64 implementation was measured at 2.6 cycles per byte, or an astounding 384 megabytes per second on a 1-gigahertz machine. Typical AES implementations encrypt at 50 megabytes per second. Because modern tape drives, networks and disk file systems have throughputs of ten to a hundred megabytes per second, encryption can easily become a substantial part of a backup running at these speeds.
Although Phelix is a symmetric stream cipher, using the same key for encryption and decryption, the Phelix key is itself protected by an Elliptic Curve Integrated Encryption System (ECIES), using the standard FIPS-186 P-256 elliptic curve. A user supplied passphrase generates a public/private key pair-- the public key for encryption and the private key for decryption. At archive creation time, a cryptographically secure random number is chosen for the Phelix key, and is encrypted in the archive itself, requiring the private decryption key to decrypt it.
|
