If the server is using the keyring_encrypted_file plugin, the user must use the option --encrypt-password to supply to mysqlbackup the keyring file encryption password that has been set on the server with the keyring_encrypted_file_password option. mysqlbackup then copies from the server the encrypted keyring data file, which contains the replication master key used to encrypt all the passwords for the individual log files, into the meta folder in the backup.

If the server uses a keyring plugin other than keyring_encrypted_file, mysqlbackup accesses the keyring to obtain the replication master key and uses it to decrypt the individual log files' passwords. The replication master key is then put into a keyring data file, which is encrypted with the user password supplied with the option --encrypt-password, and then saved under the meta folder in the backup with the name keyring_kef.

For a MySQL Enterprise Server: mysqlbackup restores the encrypted keyring data file to its proper location on the server. The restored server has to be started with keyring_encrypted_file plugin and with the options keyring_encrypted_file_data and keyring_encrypted_file_password (which should supply the server with the same password used with the --encrypt-password option during the restore).

For a MySQL Community Server: The keyring_file plugin is the only keyring plugin supported by the MySQL Community Server; therefore mysqlbackup uses the password supplied with the --encrypt-password option to decrypt the keyring data file and then restores it to the proper location on the server for the keyring_file plugin to use.