Skip to content
Starting November 2023 Percona XtraBackup 2.4 has reached EOL status. If you have 5.7 databases, we encourage you to upgrade to 8.0 and then install Percona XtraBackup 8.0. Learn more

logo
Percona XtraBackup
Encrypted Backup
Initializing search
    percona/pxb-docs
    percona/pxb-docs
    • Home
      • About Percona XtraBackup
      • How Percona XtraBackup Works
      • Understand version numbers
      • Installing Percona XtraBackup 2.4
      • Installing Percona XtraBackup on Debian and Ubuntu
      • Installing Percona XtraBackup on Red Hat Enterprise Linux and CentOS
      • Installing Percona XtraBackup from a Binary Tarball
      • Compiling and Installing from Source Code
      • Running Percona XtraBackup in a Docker container
      • Connection and Privileges Needed
      • Configuring xtrabackup
      • The Backup Cycle - Full Backups
      • Incremental Backup
      • Compressed Backup
      • Encrypted Backup
        • Creating Encrypted Backups
          • Using the --encrypt-key option
          • Using the --encrypt-key-file option
        • Optimizing the encryption process
        • Decrypting Encrypted Backups
        • Preparing Encrypted Backups
        • Restoring Encrypted Backups
        • Other Reading
      • Percona XtraBackup User Manual
      • Throttling Backups
      • Lockless binary log information
      • Encrypted InnoDB Tablespace Backups
      • lock-ddl-per-table Option Improvements
      • How-tos and Recipes
        • Release notes index
        • Percona XtraBackup 2.4.29 (2023-12-18)
        • Percona XtraBackup 2.4.28 (2023-04-04)
        • Percona XtraBackup 2.4.27 (2022-12-06)
        • Percona XtraBackup 2.4.26
        • Percona XtraBackup 2.4.25
        • Percona XtraBackup 2.4.24
        • Percona XtraBackup 2.4.23
        • Percona XtraBackup 2.4.22
        • Percona XtraBackup 2.4.21
        • Percona XtraBackup 2.4.20
        • Percona XtraBackup 2.4.19
        • Percona XtraBackup 2.4.18
        • Percona XtraBackup 2.4.17
        • Percona XtraBackup 2.4.16
        • Percona XtraBackup 2.4.15
        • Percona XtraBackup 2.4.14
        • Percona XtraBackup 2.4.13
        • Percona XtraBackup 2.4.12
        • Percona XtraBackup 2.4.11
        • Percona XtraBackup 2.4.10
        • Percona XtraBackup 2.4.9
        • Percona XtraBackup 2.4.8
        • Percona XtraBackup 2.4.7-2
        • Percona XtraBackup 2.4.7
        • Percona XtraBackup 2.4.6
        • Percona XtraBackup 2.4.5
        • Percona XtraBackup 2.4.4
        • Percona XtraBackup 2.4.3
        • Percona XtraBackup 2.4.2
        • Percona XtraBackup 2.4.1
      • The xtrabackup Option Reference
      • The innobackupex Option Reference
      • The xbcloud Binary
      • Exponential Backoff
      • Using the xbcloud binary with Microsoft Azure Cloud Storage
      • The xbcrypt binary
      • The xbstream binary
      • Known issues and limitations
      • Frequently Asked Questions
      • Glossary
      • Index of files created by Percona XtraBackup
      • Trademark policy
      • Copyright and licensing information
      • Version Checking

    • Creating Encrypted Backups
      • Using the --encrypt-key option
      • Using the --encrypt-key-file option
    • Optimizing the encryption process
    • Decrypting Encrypted Backups
    • Preparing Encrypted Backups
    • Restoring Encrypted Backups
    • Other Reading

    Encrypted Backup¶

    Percona XtraBackup has implemented support for encrypted backups. It can be used to encrypt/decrypt local or streaming backup with xbstream option (streaming tar backups are not supported) in order to add another layer of protection to the backups. Encryption is done with the libgcrypt library.

    Creating Encrypted Backups¶

    To make an encrypted backup following options need to be specified (options xtrabackup --encrypt-key and xtrabackup --encrypt-key-file are mutually exclusive, i.e., just one of them needs to be provided):

    • --encrypt=ALGORITHM - currently supported algorithms are: AES128, AES192 and AES256

    • --encrypt-key=ENCRYPTION_KEY - proper length encryption key to use. It is not recommended to use this option where there is uncontrolled access to the machine as the command line and thus the key can be viewed as part of the process info.

    • --encrypt-key-file=KEYFILE - the name of a file where the raw key of the appropriate length can be read from. The file must be a simple binary (or text) file that contains exactly the key to be used.

    Both xtrabackup --encrypt-key option and xtrabackup --encrypt-key-file option can be used to specify the encryption key. Encryption key can be generated with command like:

    $ openssl rand -base64 24
    

    Example output of that command should look like this:

    GCHFLrDFVx6UAsRb88uLVbAVWbK+Yzfs
    

    This value then can be used as the encryption key

    Using the --encrypt-key option¶

    Example of the xtrabackup command using the xtrabackup --encrypt-key should look like this:

    $ xtrabackup --backup --target-dir=/data/backups --encrypt=AES256 \
    --encrypt-key="GCHFLrDFVx6UAsRb88uLVbAVWbK+Yzfs"
    

    Using the --encrypt-key-file option¶

    Example of the xtrabackup command using the xtrabackup --encrypt-key-file should look like this:

    $ xtrabackup --backup --target-dir=/data/backups/ --encrypt=AES256 \
    --encrypt-key-file=/data/backups/keyfile
    

    Note

    Depending on the text editor used for making the KEYFILE, text file in some cases can contain the CRLF and this will cause the key size to grow and thus making it invalid. Suggested way to do this would be to create the file with: echo -n "GCHFLrDFVx6UAsRb88uLVbAVWbK+Yzfs" > /data/backups/keyfile

    Optimizing the encryption process¶

    Two options have been introduced with the encrypted backups that can be used to speed up the encryption process. These are xtrabackup --encrypt-threads and xtrabackup --encrypt-chunk-size. By using the xtrabackup --encrypt-threads option multiple threads can be specified to be used for encryption in parallel. Option xtrabackup --encrypt-chunk-size can be used to specify the size (in bytes) of the working encryption buffer for each encryption thread (default is 64K).

    Decrypting Encrypted Backups¶

    Percona XtraBackup xtrabackup --decrypt option has been implemented that can be used to decrypt the backups:

    $ xtrabackup --decrypt=AES256 --encrypt-key="GCHFLrDFVx6UAsRb88uLVbAVWbK+Yzfs"\
    --target-dir=/data/backups/
    

    Percona XtraBackup doesn’t automatically remove the encrypted files. In order to clean up the backup directory users should remove the *.xbcrypt files. In Percona XtraBackup 2.4.6 xtrabackup --remove-original option has been implemented that you can use to remove the encrypted files once they’ve been decrypted. To remove the files once they’re decrypted you should run:

    $ xtrabackup --decrypt=AES256 --encrypt-key="GCHFLrDFVx6UAsRb88uLVbAVWbK+Yzfs"\
    --target-dir=/data/backups/ --remove-original
    

    Note

    xtrabackup --parallel can be used with xtrabackup --decrypt option to decrypt multiple files simultaneously.

    When the files have been decrypted backup can be prepared.

    Preparing Encrypted Backups¶

    After the backups have been decrypted, they can be prepared the same way as the standard full backups with the xtrabackup --prepare option:

    $ xtrabackup --prepare --target-dir=/data/backups/
    

    Restoring Encrypted Backups¶

    xtrabackup has a xtrabackup --copy-back option, which performs the restoration of a backup to the server’s datadir:

    $ xtrabackup --copy-back --target-dir=/data/backups/
    

    It will copy all the data-related files back to the server’s datadir, determined by the server’s my.cnf configuration file. You should check the last line of the output for a success message:

    170214 12:37:01 completed OK!
    

    Other Reading¶

    • The Libgcrypt Reference Manual

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    2022-11-10
    Percona LLC and/or its affiliates, © 2024 Cookie Preferences
    Made with Material for MkDocs