This blog is not intended to offer anything extraordinary; instead, consider it an anecdote, a lesson, or simply a proper way of doing things without the need to run a test when in doubt.
That said, I must emphasize that, as always, testing everything before deploying to production is essential.
Let’s dive into the story: while I was working on a specific task, a colleague sent me a message asking the following:
Hey Fernando!
If an xb is encrypted + compressed, what should be done first? Decompress or decrypt?
Remember, I was focused on something else, but in my eagerness to help him reasonably quickly, without testing and trying to use common sense, I responded as follows:
Good question!
Decrypt, then decompress.
That makes sense, right? He first agreed: it made sense. Then, minutes later, everything changed: it seemed that it wasn’t the case. He replied to me:
I checked with another colleague, and the opposite is true: decompress and decrypt.
I said, “OK, sorry for the inaccurate response,” and moved on, worried.
A few days later, I had to execute a change involving rebuilding a replica using a compressed and encrypted backup (how curious, right? I wonder who wrote it, ha).
Anyway, when the moment of truth came, I saw the steps as suggested by that colleague:
To my surprise, the first operation didn’t do anything at all: it gave only a generic false output like this (ignore the dates and everything else; it’s anecdotal)
|
1 |
xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>2024-12-14T11:09:22.611811-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br> |
Then I realized that I was the right one, ha! It was the opposite.
Here’s why it should be done this way: Compress first. Once encrypted, a file becomes a stream of seemingly data that cannot be compressed effectively. Compression relies on identifying patterns within the data, and encryption removes those patterns, rendering compression futile.
The rest of the steps went smoothly (no need to mention them here).
Anyway, just to prove it’s not just words, here’s the proof.
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --backup --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --datadir=/home/fernando.mattera/sandboxes/msb_8_0_35/data/ --target-dir=/home/fernando.mattera/XtraBackups --compress --encrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key<br>2024-12-14T11:02:22.085024-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql --datadir=/home/fernando.mattera/sandboxes/msb_8_0_35/data/<br>2024-12-14T11:02:22.085402-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --backup=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --compress --encrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key<br>xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>241214 11:02:22 version_check Connecting to MySQL server with DSN 'dbi:mysql:;mysql_read_default_group=xtrabackup;host=127.0.0.1;port=8035;mysql_socket=/tmp/mysql_sandbox8035.sock' as 'root' (using password: YES).<br>241214 11:02:22 version_check Connected to MySQL server<br>241214 11:02:22 version_check Executing a version check against the server...<br>241214 11:02:25 version_check Done.<br>2024-12-14T11:02:25.218435-00:00 0 [Note] [MY-011825] [Xtrabackup] Connecting to MySQL server host: 127.0.0.1, user: root, password: set, port: 8035, socket: /tmp/mysql_sandbox8035.sock<br>2024-12-14T11:02:25.276909-00:00 0 [Note] [MY-011825] [Xtrabackup] Using server version 8.0.35-27<br>2024-12-14T11:02:25.279288-00:00 0 [Note] [MY-011825] [Xtrabackup] Executing LOCK TABLES FOR BACKUP ...<br>2024-12-14T11:02:25.282586-00:00 0 [Note] [MY-011825] [Xtrabackup] uses posix_fadvise().<br>2024-12-14T11:02:27.218834-00:00 0 [Note] [MY-011825] [Xtrabackup] Done: Compressing and encrypting file /home/fernando.mattera/XtraBackups/backup-my.cnf.zst.xbcrypt<br>2024-12-14T11:02:27.222410-00:00 0 [Note] [MY-011825] [Xtrabackup] Compressing and encrypting /home/fernando.mattera/XtraBackups/xtrabackup_info.zst.xbcrypt<br>...several lines later...<br>2024-12-14T11:02:28.229632-00:00 0 [Note] [MY-011825] [Xtrabackup] Transaction log of lsn (28222178) to (28222198) was copied.<br>2024-12-14T11:02:28.444521-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br> |
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/<br>total 1428<br>-rw-r-----. 1 fernando.mattera percona 380 Dec 14 11:02 backup-my.cnf.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 204 Dec 14 11:02 binlog.000005.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 121 Dec 14 11:02 binlog.index.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 793 Dec 14 11:02 ib_buffer_pool.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 4082 Dec 14 11:02 ibdata1.zst.xbcrypt<br>drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:02 mysql<br>-rw-r-----. 1 fernando.mattera percona 1383901 Dec 14 11:02 mysql.ibd.zst.xbcrypt<br>drwxr-x---. 2 fernando.mattera percona 8192 Dec 14 11:02 performance_schema<br>drwxr-x---. 2 fernando.mattera percona 40 Dec 14 11:02 sys<br>drwxr-x---. 2 fernando.mattera percona 35 Dec 14 11:02 test<br>-rw-r-----. 1 fernando.mattera percona 5940 Dec 14 11:02 undo_001.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 8808 Dec 14 11:02 undo_002.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 123 Dec 14 11:02 xtrabackup_binlog_info.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints<br>-rw-r-----. 1 fernando.mattera percona 509 Dec 14 11:02 xtrabackup_info.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 330 Dec 14 11:02 xtrabackup_logfile.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 144 Dec 14 11:02 xtrabackup_tablespaces.zst.xbcrypt<br> |
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original<br>2024-12-14T11:09:22.509686-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql<br>2024-12-14T11:09:22.509990-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original=1<br>xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>2024-12-14T11:09:22.611811-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br> |
Why did it fail? Because the files were the same!
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/<br>total 1428<br>-rw-r-----. 1 fernando.mattera percona 380 Dec 14 11:02 backup-my.cnf.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 204 Dec 14 11:02 binlog.000005.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 121 Dec 14 11:02 binlog.index.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 793 Dec 14 11:02 ib_buffer_pool.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 4082 Dec 14 11:02 ibdata1.zst.xbcrypt<br>drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:02 mysql<br>-rw-r-----. 1 fernando.mattera percona 1383901 Dec 14 11:02 mysql.ibd.zst.xbcrypt<br>drwxr-x---. 2 fernando.mattera percona 8192 Dec 14 11:02 performance_schema<br>drwxr-x---. 2 fernando.mattera percona 40 Dec 14 11:02 sys<br>drwxr-x---. 2 fernando.mattera percona 35 Dec 14 11:02 test<br>-rw-r-----. 1 fernando.mattera percona 5940 Dec 14 11:02 undo_001.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 8808 Dec 14 11:02 undo_002.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 123 Dec 14 11:02 xtrabackup_binlog_info.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints<br>-rw-r-----. 1 fernando.mattera percona 509 Dec 14 11:02 xtrabackup_info.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 330 Dec 14 11:02 xtrabackup_logfile.zst.xbcrypt<br>-rw-r-----. 1 fernando.mattera percona 144 Dec 14 11:02 xtrabackup_tablespaces.zst.xbcrypt<br> |
How did it work? Decrypting and then decompressing.
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original<br>2024-12-14T11:11:27.686020-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql<br>2024-12-14T11:11:27.686396-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original=1<br>xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>2024-12-14T11:11:27.687193-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting ./xtrabackup_logfile.zst.xbcrypt<br>2024-12-14T11:11:27.704967-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_logfile.zst.xbcrypt<br>...several lines later...<br>2024-12-14T11:11:29.658611-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting ./xtrabackup_tablespaces.zst.xbcrypt<br>2024-12-14T11:11:29.675230-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst.xbcrypt<br>2024-12-14T11:11:29.690206-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br><br><br>[fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/<br>total 73144<br>-rw-r--r--. 1 fernando.mattera percona 447 Dec 14 11:13 backup-my.cnf<br>-rw-r--r--. 1 fernando.mattera percona 288 Dec 14 11:11 backup-my.cnf.zst<br>-rw-r--r--. 1 fernando.mattera percona 157 Dec 14 11:13 binlog.000005<br>-rw-r--r--. 1 fernando.mattera percona 112 Dec 14 11:11 binlog.000005.zst<br>-rw-r--r--. 1 fernando.mattera percona 16 Dec 14 11:13 binlog.index<br>-rw-r--r--. 1 fernando.mattera percona 29 Dec 14 11:11 binlog.index.zst<br>-rw-r--r--. 1 fernando.mattera percona 3009 Dec 14 11:13 ib_buffer_pool<br>-rw-r--r--. 1 fernando.mattera percona 701 Dec 14 11:11 ib_buffer_pool.zst<br>-rw-r--r--. 1 fernando.mattera percona 12582912 Dec 14 11:13 ibdata1<br>-rw-r--r--. 1 fernando.mattera percona 3990 Dec 14 11:11 ibdata1.zst<br>drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:13 mysql<br>-rw-r--r--. 1 fernando.mattera percona 27262976 Dec 14 11:13 mysql.ibd<br>-rw-r--r--. 1 fernando.mattera percona 1381877 Dec 14 11:11 mysql.ibd.zst<br>drwxr-x---. 2 fernando.mattera percona 12288 Dec 14 11:13 performance_schema<br>drwxr-x---. 2 fernando.mattera percona 54 Dec 14 11:13 sys<br>drwxr-x---. 2 fernando.mattera percona 44 Dec 14 11:13 test<br>-rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:13 undo_001<br>-rw-r--r--. 1 fernando.mattera percona 5848 Dec 14 11:11 undo_001.zst<br>-rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:13 undo_002<br>-rw-r--r--. 1 fernando.mattera percona 8716 Dec 14 11:11 undo_002.zst<br>-rw-r--r--. 1 fernando.mattera percona 18 Dec 14 11:13 xtrabackup_binlog_info<br>-rw-r--r--. 1 fernando.mattera percona 31 Dec 14 11:11 xtrabackup_binlog_info.zst<br>-rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints<br>-rw-r--r--. 1 fernando.mattera percona 684 Dec 14 11:13 xtrabackup_info<br>-rw-r--r--. 1 fernando.mattera percona 417 Dec 14 11:11 xtrabackup_info.zst<br>-rw-r--r--. 1 fernando.mattera percona 2560 Dec 14 11:13 xtrabackup_logfile<br>-rw-r--r--. 1 fernando.mattera percona 238 Dec 14 11:11 xtrabackup_logfile.zst<br>-rw-r--r--. 1 fernando.mattera percona 39 Dec 14 11:13 xtrabackup_tablespaces<br>-rw-r--r--. 1 fernando.mattera percona 52 Dec 14 11:11 xtrabackup_tablespaces.zst<br><br><br><br><br>[fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original<br>2024-12-14T11:13:41.759924-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql<br>2024-12-14T11:13:41.760136-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original=1<br>xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>2024-12-14T11:13:41.761020-00:00 0 [Note] [MY-011825] [Xtrabackup] decompressing ./sys/sys_config.ibd.zst<br>2024-12-14T11:13:41.774379-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./sys/sys_config.ibd.zst<br>...several lines later...<br>2024-12-14T11:13:43.409183-00:00 0 [Note] [MY-011825] [Xtrabackup] decompressing ./xtrabackup_tablespaces.zst<br>2024-12-14T11:13:43.415723-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst<br>2024-12-14T11:13:43.464392-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br> |
Easter egg: you can do both things at the same time!
|
1 |
[fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original<br>2024-12-14T11:53:58.354060-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql<br>2024-12-14T11:53:58.354306-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original=1<br>xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7)<br>2024-12-14T11:53:58.355213-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting and decompressing ./xtrabackup_logfile.zst.xbcrypt<br>2024-12-14T11:53:58.373986-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_logfile.zst.xbcrypt<br>2024-12-14T11:53:58.374142-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting and decompressing ./ibdata1.zst.xbcrypt<br>...several lines later...<br>2024-12-14T11:54:00.785939-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst.xbcrypt<br>2024-12-14T11:54:00.859598-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK!<br><br>[fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/<br>total 71732<br>-rw-r--r--. 1 fernando.mattera percona 447 Dec 14 11:54 backup-my.cnf<br>-rw-r--r--. 1 fernando.mattera percona 157 Dec 14 11:54 binlog.000007<br>-rw-r--r--. 1 fernando.mattera percona 16 Dec 14 11:54 binlog.index<br>-rw-r--r--. 1 fernando.mattera percona 3009 Dec 14 11:54 ib_buffer_pool<br>-rw-r--r--. 1 fernando.mattera percona 12582912 Dec 14 11:53 ibdata1<br>drwxr-x---. 2 fernando.mattera percona 143 Dec 14 11:53 mysql<br>-rw-r--r--. 1 fernando.mattera percona 27262976 Dec 14 11:53 mysql.ibd<br>drwxr-x---. 2 fernando.mattera percona 12288 Dec 14 11:54 performance_schema<br>drwxr-x---. 2 fernando.mattera percona 28 Dec 14 11:53 sys<br>drwxr-x---. 2 fernando.mattera percona 23 Dec 14 11:53 test<br>-rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:53 undo_001<br>-rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:53 undo_002<br>-rw-r--r--. 1 fernando.mattera percona 18 Dec 14 11:54 xtrabackup_binlog_info<br>-rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:44 xtrabackup_checkpoints<br>-rw-r--r--. 1 fernando.mattera percona 684 Dec 14 11:54 xtrabackup_info<br>-rw-r--r--. 1 fernando.mattera percona 2560 Dec 14 11:53 xtrabackup_logfile<br>-rw-r--r--. 1 fernando.mattera percona 39 Dec 14 11:54 xtrabackup_tablespaces<br> |
Compression is based on recognizing data patterns within files. When you encrypt, you remove those patterns, which makes compressing after encryption practically pointless. Compress first, then encrypt.
Test everything as much as possible. If time constraints prevent this, rely on common sense; above all, testing provides the foundation for everything to proceed smoothly.
With Percona XtraBackup, you can ensure your applications remain fully available and guarantee the consistency and safety of your data files.
