8.4 Working with Encrypted Binary and Relay Logs

MySQL Enterprise Backup 8.0.14 and later supports encrypted binary and relay logs, which are handled in a similar way as the encrypted InnoDB tables are (see Chapter 6, Working with Encrypted InnoDB Tablespaces for details).

When backing up encrypted binary or relay logs, the option --encrypt-password is required for the following purposes:

If the server is using the keyring_encrypted_file plugin, the user must use the option --encrypt-password to supply to mysqlbackup the keyring file encryption password that has been set on the server with the keyring_encrypted_file_password option. mysqlbackup then copies from the server the encrypted keyring data file, which contains the replication master key used to encrypt all the passwords for the individual log files, into the meta folder in the backup.
If the server uses a keyring plugin other than keyring_encrypted_file, mysqlbackup accesses the keyring to obtain the replication master key and uses it to decrypt the individual log files' passwords. The replication master key is then put into a keyring data file, which is encrypted with the user password supplied with the option --encrypt-password, and then saved under the meta folder in the backup with the name keyring_kef.

When restoring encrypted binary or relay logs, the same password used for backing up the database must be supplied with the --encrypt-password option, as mysqlbackup performs the following actions:

For a MySQL Enterprise Server: mysqlbackup restores the encrypted keyring data file to its proper location on the server. The restored server has to be started with keyring_encrypted_file plugin and with the options keyring_encrypted_file_data and keyring_encrypted_file_password (which should supply the server with the same password used with the --encrypt-password option during the restore).
For a MySQL Community Server: The keyring_file plugin is the only keyring plugin supported by the MySQL Community Server; therefore mysqlbackup uses the password supplied with the --encrypt-password option to decrypt the keyring data file and then restores it to the proper location on the server for the keyring_file plugin to use.

For Incremental Backups. For a series of incremental backups, if a keyring plugin other than keyring_encrypted_file is being used on the server, users can provide a different value for --encrypt-password for any of the full or incremental backup in the backup sequence. However, the password used to make the specific full or incremental backup must be provided to restore that backup. When starting the server after restoring a series of incremental backups, the password used for the restore of the last incremental backup should be supplied to the server (except for a MySQL Community Server, which will start with the keyring_file plugin and does not require the keyring_encrypted_file_password option to start).