+1-208-473-2904 (USA - Sales)
0-800-051-8984 (UK - Sales)
0-800-181-0665 (GER - Sales)
Percona XtraBackup has implemented support for encrypted backups. This feature was introduced in Percona XtraBackup 2.1. It can be used to encrypt/decrypt local or streaming backup with xbstream option (streaming tar backups are not supported) in order to add another layer of protection to the backups. Encryption is done with the libgcrypt library.
Encryption related options are currently ignored by innobackupex when specified in my.cnf.
- --encryption=ALGORITHM - currently supported algorithms are: AES128, AES192 and AES256
- --encrypt-key=ENCRYPTION_KEY - proper length encryption key to use. It is not recommended to use this option where there is uncontrolled access to the machine as the command line and thus the key can be viewed as part of the process info.
- --encrypt-key-file=KEYFILE - the name of a file where the raw key of the appropriate length can be read from. The file must be a simple binary (or text) file that contains exactly the key to be used.
$ openssl enc -aes-256-cbc -pass pass:Password -P -md sha1
Output of that command should look like this:
salt=9464A264486EEC69 key=DDD3A1B6BC90B9A9B631913CF30E0336A2571BA854E2D65CF92A6D0BDBCBB251 iv =A1EDC73815467C083B0869508406637E
In this case we can use iv value as key.
Example of the innobackupex command using the --encrypt-key should look like this
$ innobackupex --encrypt=AES256 --encrypt-key="A1EDC73815467C083B0869508406637E" /data/backups
Example of the innobackupex command using the --encrypt-key-file should look like this
$ innobackupex --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile /data/backups
Depending on the text editor used for making the KEYFILE, text file in some cases can contain the CRLF and this will cause the key size to grow and thus making it invalid. Suggested way to do this would be to create the file with: echo -n "A1EDC73815467C083B0869508406637E" > /data/backups/keyfile
Both of these examples will create a timestamped directory in /data/backups containing the encrypted backup.
You can use the innobackupex --no-timestamp option to override this behavior and the backup will be created in the given directory.
Two new options have been introduced with the encrypted backups that can be used to speed up the encryption process. These are --encrypt-threads and --encrypt-chunk-size. By using the --encrypt-threads option multiple threads can be specified to be used for encryption in parallel. Option --encrypt-chunk-size can be used to specify the size (in bytes) of the working encryption buffer for each encryption thread (default is 64K).
Backups can be decrypted with The xbcrypt binary. Following one-liner can be used to encrypt the whole folder:
$ for i in `find . -iname "*\.xbcrypt"`; do xbcrypt -d --encrypt-key-file=/root/secret_key --encrypt-algo=AES256 < $i > $(dirname $i)/$(basename $i .xbcrypt) && rm $i; done
In Percona XtraBackup 2.1.4 new innobackupex --decrypt option has been implemented that can be used to decrypt the backups:
$ innobackupex --decrypt=AES256 --encrypt-key="A1EDC73815467C083B0869508406637E" /data/backups/2013-08-01_08-31-35/
Use of the innobackupex --decrypt will remove the original encrypted files and leave the results in the same location.
When the files have been decrypted backup can be prepared.
After the backups have been decrypted, they can be prepared the same way as the standard full backups with the --apply-logs option:
$ innobackupex --apply-log /data/backups/2013-08-01_08-31-35/
innobackupex has a --copy-back option, which performs the restoration of a backup to the server’s datadir
$ innobackupex --copy-back /path/to/BACKUP-DIR
It will copy all the data-related files back to the server’s datadir, determined by the server’s my.cnf configuration file. You should check the last line of the output for a success message:
innobackupex: Finished copying back files. 130801 11:08:13 innobackupex: completed OK!