MySQL Enterprise Backup User's Guide (Version 4.1.4)
Starting with release 4.0.2, MySQL Enterprise Backup supports encrypted InnoDB tablespaces. For details on how the MySQL server encrypts and decrypts InnoDB tables, see InnoDB Data-at-Rest Encryption. See Chapter 6, Working with Encrypted InnoDB Tables on how mysqlbackup commands handle encrypted InnoDB tables.
When InnoDB tablespace encryption uses Oracle Key Vault (OKV) for encryption key management, the feature is referred to as “MySQL Enterprise Transparent Data Encryption (TDE).”
The following are the command-line options for working with encrypted InnoDB tables:
Command-Line Format | --keyring=VALUE |
---|---|
Type | String |
(Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier) The kind of keyring plugin used for master encryption key management. Currently, there are two possible values:
keyring_file
: The
keyring_file
plugin is used, which
means the master encryption key is stored in a keyring
file, the location of which is specified by the
--keyring_file_data
option.
keyring_okv
: The
keyring_okv
plugin is used, which
means the master keys are managed by an Oracle Key
Vault (OKV); the location of the key vault's endpoint
directory is specified by the
--keyring_okv_conf_dir
option.
The option must be specified for
copy-back-and-apply-log operations, copy-back operations
that use the --generate-new-master-key
option, and offline backups. For online backups,
the keyring plugin setting on the server overrides the value
set by this option.
Command-Line Format | --keyring_file_data=PATH |
---|---|
Type | File name |
(Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with
MySQL 5.7.20 and earlier) Path to the keyring
file. The option is required when the option
--keyring
has the value
keyring_file
. For online backups, the
--keyring_file_data
setting
on the server overrides the value set by this option.
Command-Line Format | --keyring_okv_conf_dir=PATH |
---|---|
Type | Directory name |
(Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with
MySQL 5.7.20 and earlier) Path to the Oracle Key
Vault (OKV) endpoint directory. The option is required when
the option
--keyring
has the
value keyring_okv
. For online backups,
the
--keyring_okv_conf_dir
setting on the server overrides the value set by this
option.
Command-Line Format | --encrypt-password=STRING |
---|---|
Type | String |
For MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier: The user-supplied password by which mysqlbackup encrypts the encryption keys for the tablespaces.
For MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.21 and
later: The user-supplied password by which
mysqlbackup encrypts the master
encryption key, which is used to encrypt the encryption keys
for the InnoDB tablespaces. If the server is using the
keyring_encrypted_file
plugin, the
password supplied with the option must match the value of
the system variable
keyring_encrypted_file_password
on the server. If different passwords were used for
different backups in a sequence of full and incremental
backups, make sure the very password used to create an
individual backup is supplied when performing an
apply-log
,
apply-incremental-backup
,
or
copy-back-and-apply-log
operation with it.
The option must be used when backing up a server that has a
keyring plugin enabled for InnoDB table encryption and for
restoring a backup containing encrypted InnoDB tables. The
same password supplied during backup must be supplied again
during a
copy-back-and-apply-log
,
apply-log
, or an
apply-incremental-backup
operation for the backup, or mysqlbackup
will error out when it encounters encrypted InnoDB tables
during the operation.
Users who do not want to supply the password on the command line or in a defaults file may use the option without specifying any value; mysqlbackup then asks the user to type in the password before the operation starts.
Command-Line Format | --generate-new-master-key |
---|
(Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with
MySQL 5.7.20 and earlier) Generate new master
key. During a restore, when the option is used,
mysqlbackup generates a new master key
and uses it to reencrypt all the tablespace keys. To use the
--generate-new-master-key
option, the
--keyring
option,
as well as the
--keyring_file_data
option (when
--keyring
=keyring_file
)
or --keyring_okv_conf_dir
option
(when
--keyring
=keyring_okv
)
must be specified, so that mysqlbackup
can access the keyring.