MySQL Enterprise Backup User's Guide (Version 8.0.17)

Chapter 6 Working with Encrypted InnoDB Tablespaces

MySQL Enterprise Backup supports encrypted InnoDB tablespaces. For details on how the MySQL server encrypts and decrypts InnoDB tablespaces, see InnoDB Data-at-Rest Encryption—it explains concepts like master key and tablespace keys, which are important for understanding how MySQL Enterprise Backup works with encrypted InnoDB tablespaces.

When InnoDB tablespace encryption uses Oracle Key Vault (OKV) for encryption key management, the feature is referred to as MySQL Enterprise Transparent Data Encryption (TDE).

The following is a brief description on how encrypted InnoDB tablespaces are handled by MySQL Enterprise Backup in backup, restore, and apply-log operations.

Note
  • For MySQL Enterprise Backup 8.0.16 and later: Encrypted InnoDB undo logs are supported by MySQL Enterprise Backup. The encrypted undo tablespaces are handled the same way as the encrypted tablespaces for InnoDB tables.

  • For MySQL Enterprise Backup 8.0.17 and later: Encrypted InnoDB redo logs are supported by MySQL Enterprise Backup. The encrypted redo tablespaces are handled the same way as the encrypted tablespaces for InnoDB tables.

Backing up a database with encrypted InnoDB tablespaces. 

Important

For MySQL Enterprise Backup to backup encrypted InnoDB tablespaces, the operating system user that runs MySQL Enterprise Backup must have write permission for the keyring file on the server if the keyring_file or keyring_aws plugin is used on it.

When the database uses encrypted InnoDB tablespaces, MySQL Enterprise Backup always stores the master key for encryption in an encrypted file inside the backup, irrespective of the kind of keyring plugin the server uses. The following is a typical command for backing up a database containing encrypted InnoDB tablespaces:

$ mysqlbackup --user=root --password --backup-image=/home/admin/backups/my.mbi --backup-dir=/home/admin/backup-tmp \
    --encrypt-password="password" backup-to-image

During the backup operation, mysqlbackup copies the encrypted InnoDB tablespace files into the backup, and also performs the following actions:

Note

Users who do not want to supply the password on the command line or in a defaults file may use the --encrypt-password option without specifying any value; mysqlbackup then asks the user to type in the password before the operation starts. This applies to all commands that use the --encrypt-password option.

An extract or image-to-backup-dir command for an image backup containing encrypted InnoDB tablespaces does not require the --encrypt-password option.

Restoring a backup with encrypted InnoDB tablespaces.  The following is a typical command for restoring a single-file back up containing encrypted InnoDB tablespaces:

$ mysqlbackup  --defaults-file=/usr/local/mysql/my.cnf  --backup-image=/home/admin/backups/my.mbi \
    --backup-dir=/home/admin/restore-tmp --encrypt-password="password" copy-back-and-apply-log

The same password used for backing up the database must be supplied with the --encrypt-password option for a restore operation. During a restore, mysqlbackup copies the encrypted InnoDB tablespace files and the encrypted file containing the master keys (keyring_kef) onto the server. It also performs the following actions:

For Incremental Backups.  For a series of incremental backups, if a keyring plugin other than keyring_encrypted_file is being used on the server, users can provide a different value for --encrypt-password for any of the full or incremental backup in the backup sequence. However, the password used to make the specific full or incremental backup must be provided to restore that backup. When starting the server after restoring a series of incremental backups, the password used for the restore of the last incremental backup should be supplied to the server (except for a MySQL Community Server, which will start with the keyring_file plugin and does not require the --keyring_encrypted_file_password option to start).

Advanced: Creating and Restoring a directory backup with encrypted InnoDB tablespaces.  The following is a typical command for creating a directory backup containing encrypted InnoDB tablespaces:

$ mysqlbackup --user=root --password --backup-dir=/home/admin/backup \
    --encrypt-password="password" backup

The following is a typical command for preparing the backup with the apply-log command:

$ mysqlbackup --backup-dir=/home/admin/backup  --encrypt-password="password" apply-log

Notice that the user password must be supplied with the --encrypt-password option, as the tablespace keys and then the tablespaces must be decrypted before the log can be applied. The same requirement applies when you try to update an encrypted backup with an encrypted incremental backup using the apply-incremental-backup command:

$ mysqlbackup  --backup-dir=/home/admin/backup --incremental-backup-dir=/home/admin/backup-in \
    --encrypt-password="password" apply-incremental-backup

If you used different values for --encrypt-password for the full or incremental backups in the backup sequence, make sure you supply the very password you used to create an individual backup when you perform an apply-log or apply-incremental-backup operation with it.

Next, a copy-back command restores the prepared backup onto the server:

$ mysqlbackup  --defaults-file=/usr/local/mysql/my.cnf  --backup-dir=/home/admin/backup copy-back

Notice that the --encrypt-password option is not required for this step.

You can combine the two steps of apply-log and copy-back into one by running the copy-back-and-apply-log command, for which the --encrypt-password option is required:

$ mysqlbackup  --defaults-file=/usr/local/mysql/my.cnf  --backup-dir=/home/admin/backup \ 
  --encrypt-password="password" copy-back-and-apply-log

Limitations.  Certain limitations apply when MySQL Enterprise Backup works with encrypted InnoDB tablespaces: