Percona XtraBackup supports encrypting and decrypting local and streaming
backups with xbstream option adding another layer of protection. The
encryption is implemented using the
libgcrypt library from GnuPG.
Create encrypted backups¶
To make an encrypted backup the following options need to be specified (options
--encrypt-key-file are mutually exclusive,
i.e. just one of them needs to be provided):
--encrypt-key option and
--encrypt-key-file option can be used to specify the
encryption key. An encryption key can be generated with a command like
openssl rand -base64 24
This value then can be used as the encryption key
Example of the xtrabackup command using the
look like this:
$ xtrabackup --backup --encrypt=AES256 --encrypt-key="U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=" --target-dir=/data/backup
--encrypt-key-file option as follows:
$ xtrabackup --backup --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile --target-dir=/data/backup
Depending on the text editor that you use to make the
the editor can automatically insert the CRLF (end of line)
character. This will cause the key size to grow and thus making it
invalid. The suggested way to create the file is by using the
echo -n “U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=” > /data/backups/keyfile.
Optimize the encryption process¶
Two new options are available for encrypted backups that can be used to speed up
the encryption process. These are
--encrypt-chunk-size. By using the
multiple threads can be specified to be used for encryption in parallel. Option
--encrypt-chunk-size can be used to specify the size (in bytes) of the
working encryption buffer for each encryption thread (default is 64K).
Decrypt encrypted backups¶
Backups can be decrypted with The xbcrypt binary. The following one-liner can be used to encrypt the whole folder:
$ for i in `find . -iname "*\.xbcrypt"`; do xbcrypt -d --encrypt-key-file=/root/secret_key --encrypt-algo=AES256 < $i > $(dirname $i)/$(basename $i .xbcrypt) && rm $i; done
--decrypt option has been implemented that can be
used to decrypt the backups:
$ xtrabackup --decrypt=AES256 --encrypt-key="U2FsdGVkX19VPN7VM+lwNI0fePhjgnhgqmDBqbF3Bvs=" --target-dir=/data/backup/
Percona XtraBackup doesn’t automatically remove the encrypted files. In order
to clean up the backup directory users should remove the
--parallel can be used with
--decrypt option to decrypt multiple files simultaneously.
When the files are decrypted, the backup can be prepared.
Prepare encrypted backups¶
After the backups have been decrypted, they can be prepared in the same way as
the standard full backups with the
$ xtrabackup --prepare --target-dir=/data/backup/
Restore encrypted backups¶
xtrabackup offers the
--copy-back option to restore a backup to the
$ xtrabackup --copy-back --target-dir=/data/backup/
It will copy all the data-related files back to the server’s datadir,
determined by the server’s
my.cnf configuration file. You should check
the last line of the output for a success message:
150318 11:08:13 xtrabackup: completed OK!
For free technical help, visit the Percona Community Forum.
To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or consulting services , contact Percona Sales.