MySQL Enterprise Backup 8.0 User's Guide  /  ...  /  Options for Working with Encrypted InnoDB Tablespaces and Encrypted Binary/Relay Logs

17.14 Options for Working with Encrypted InnoDB Tablespaces and Encrypted Binary/Relay Logs

MySQL Enterprise Backup supports encrypted InnoDB tablespaces and, for release 8.0.14 and later, encrypted binary/relay logs. For details on how MySQL Server encrypts and decrypts these items, see InnoDB Data-at-Rest Encryption and Encrypting Binary Log Files and Relay Log Files . See Chapter 6, Working with Encrypted InnoDB Tablespaces and Working with Encrypted Binary and Relay Logs on how mysqlbackup commands handle these encrypted items.

The following is the command-line option for working with encrypted InnoDB tables and binary/relay logs:

  • --encrypt-password[=STRING]

    Property Value
    Command-Line Format --encrypt-password=STRING
    Type String

    The user-supplied password by which mysqlbackup encrypts the master encryption key, which is used to encrypt the encryption keys for the InnoDB tablespaces or binary/relay log files.

    The option must be used when backing up a server that has a keyring plugin enabled for InnoDB table or binary/relay log encryption and for restoring a backup containing encrypted InnoDB tables or binary/relay log. If the server is using the keyring_encrypted_file plugin, the password supplied with the option must match the value of the system variable keyring_encrypted_file_password on the server.

    The same password supplied during backup must be supplied again during a copy-back-and-apply-log, apply-log, or an apply-incremental-backup operation for the backup, or mysqlbackup will error out when it encounters encrypted InnoDB tables or binary/relay logs during the operation. If different passwords were used for different backups in a sequence of full and incremental backups, make sure the very password used to create an individual backup is supplied when performing an apply-log, apply-incremental-backup, or copy-back-and-apply-log operation on it.

    Users who do not want to supply the password on the command line or in a default file may use the option without specifying any value; mysqlbackup then asks the user to type in the password before the operation starts.