Encrypt backups¶
Percona XtraBackup supports encrypting and decrypting local and streaming
backups with xbstream option adding another layer of protection. The
encryption is implemented using the libgcrypt
library from GnuPG.
Create encrypted backups¶
To make an encrypted backup the following options need to be specified (options
--encrypt-key
and --encrypt-key-file
are mutually exclusive,
i.e. just one of them needs to be provided):
-
--encrypt
-
--encrypt-key
-
--encrypt-key-file
Both the --encrypt-key
option and
--encrypt-key-file
option can be used to specify the
encryption key. An encryption key can be generated with a command like
openssl rand -base64 24
U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=
This value then can be used as the encryption key
The --encrypt-key
option¶
Example of the xtrabackup command using the --encrypt-key
should
look like this:
$ xtrabackup --backup --encrypt=AES256 --encrypt-key="U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=" --target-dir=/data/backup
The --encrypt-key-file
option¶
Use the --encrypt-key-file
option as follows:
$ xtrabackup --backup --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile --target-dir=/data/backup
Note
Depending on the text editor that you use to make the KEYFILE
,
the editor can automatically insert the CRLF (end of line)
character. This will cause the key size to grow and thus making it
invalid. The suggested way to create the file is by using the
command line: echo -n “U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=” > /data/backups/keyfile
.
Optimize the encryption process¶
Two new options are available for encrypted backups that can be used to speed up
the encryption process. These are --encrypt-threads
and
--encrypt-chunk-size
. By using the --encrypt-threads
option
multiple threads can be specified to be used for encryption in parallel. Option
--encrypt-chunk-size
can be used to specify the size (in bytes) of the
working encryption buffer for each encryption thread (default is 64K).
Decrypt encrypted backups¶
Backups can be decrypted with The xbcrypt binary. The following one-liner can be used to encrypt the whole folder:
$ for i in `find . -iname "*\.xbcrypt"`; do xbcrypt -d --encrypt-key-file=/root/secret_key --encrypt-algo=AES256 < $i > $(dirname $i)/$(basename $i .xbcrypt) && rm $i; done
Percona XtraBackup --decrypt
option has been implemented that can be
used to decrypt the backups:
$ xtrabackup --decrypt=AES256 --encrypt-key="U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=" --target-dir=/data/backup/
Percona XtraBackup doesn’t automatically remove the encrypted files. In order
to clean up the backup directory users should remove the \*.xbcrypt
files.
Note
--parallel
can be used with --decrypt
option to decrypt multiple files simultaneously.
When the files are decrypted, the backup can be prepared.
Prepare encrypted backups¶
After the backups have been decrypted, they can be prepared in the same way as
the standard full backups with the --prepare
option:
$ xtrabackup --prepare --target-dir=/data/backup/
Restore encrypted backups¶
xtrabackup offers the --copy-back
option to restore a backup to the
server’s datadir:
$ xtrabackup --copy-back --target-dir=/data/backup/
It will copy all the data-related files back to the server’s datadir,
determined by the server’s my.cnf
configuration file. You should check
the last line of the output for a success message:
Expected output
150318 11:08:13 xtrabackup: completed OK!