MySQL Enterprise Backup 4.0 Release Notes
Starting with release 4.0.2, MySQL Enterprise Backup supports encrypted InnoDB tablespaces. For details on how the MySQL server encrypts and decrypts InnoDB tables, see InnoDB Data-at-Rest Encryption. See Chapter 6, Working with Encrypted InnoDB Tables on how mysqlbackup commands handle encrypted InnoDB tables.
When InnoDB tablespace encryption uses Oracle Key Vault (OKV) for encryption key management, the feature is referred to as “MySQL Enterprise Transparent Data Encryption (TDE).”
The following are the command-line options for working with encrypted InnoDB tables:
-
Command-Line Format --keyring=VALUEIntroduced 4.0.2 Type String The kind of keyring plugin used for master encryption key management. Currently, there are two possible values:
keyring_file: Thekeyring_fileplugin is used, which means the master encryption key is stored in a keyring file, the location of which is specified by the--keyring_file_dataoption.keyring_okv: Thekeyring_okvplugin is used, which means the master keys are managed by an Oracle Key Vault (OKV); the location of the key vault's endpoint directory is specified by the--keyring_okv_conf_diroption.
The option must be specified for copy-back-and-apply-log operations, copy-back operations that use the
--generate-new-master-keyoption, and offline backups. For online backups, the keyring plugin setting on the server overrides the value set by this option. -
Command-Line Format --keyring_file_data=PATHIntroduced 4.0.2 Type File name Path to the keyring file. The option is required when the option
--keyringhas the valuekeyring_file. For online backups, the--keyring_file_datasetting on the server overrides the value set by this option. -
Command-Line Format --keyring_okv_conf_dir=PATHIntroduced 4.0.2 Type Directory name Path to the Oracle Key Vault (OKV) endpoint directory. The option is required when the option
--keyringhas the valuekeyring_okv. For online backups, the--keyring_okv_conf_dirsetting on the server overrides the value set by this option. -
Command-Line Format --encrypt-password=STRINGIntroduced 4.0.2 Type String The user-supplied password by which mysqlbackup encrypts the encryption keys for the tablespaces. The same password supplied during backup must be supplied again during a
copy-back-and-apply-logor anapply-logoperation for the backup, or mysqlbackup will error out when it encounters encrypted InnoDB tables during the operation.The option must be used when backing up a server that has a keyring plugin enabled for InnoDB table encryption and for restoring a backup containing encrypted InnoDB tables. However, users who do not want to supply the password on the command line or in a default file may use the option without specifying any value; mysqlbackup then asks the user to type in the password before the operation starts.
-
Command-Line Format --generate-new-master-keyIntroduced 4.0.2 Generate new master key. During a restore, when the option is used, mysqlbackup generates a new master key and uses it to reencrypt all the tablespace keys. To use the
--generate-new-master-keyoption, the--keyringoption, as well as the--keyring_file_dataoption (when--keyring=keyring_file) or--keyring_okv_conf_diroption (when--keyring=keyring_okv) must be specified, so that mysqlbackup can access the keyring.