[zeromq-dev] Partially encrypted service

Greg Ward greg at gerg.ca
Mon Mar 31 21:12:38 CEST 2014

Hi all --

I'm helping maintain a ZeroMQ-based system that currently uses a
homebrew cryptosystem on top of libzmq 3.2.4. Obviously I'd like to
upgrade to curve and libzmq 4. While I'm doing that, I'd like to
change it so that only untrusted connections (across the Internet) are
subject to encryption and authentication. Connections within our data
center do not need the overhead.

My understanding is that encryption/authentication is per-context, so
the server process that talks to both remote hosts (across the
Internet) and local hosts (inside our data center) would need *two*
contexts. Is this correct?

My rationale, incidentally, is twofold: 1) reduce administrative
overhead, 2) reduce latency. Of course we need to maintain keys and
certificates for the hosts that we talk to out there on the Internet,
but it's annoying that we have to maintain them for hosts inside our
data center. I'd like to get rid of that. I also want to ditch the
overhead (network and CPU) of crypto + authentication when we don't
need it. Not sure how big a factor that is with libzmq 4, but it's
definitely a factor with our current homebrew cryptosystem.


More information about the zeromq-dev mailing list