MySQL Enterprise Backup supports encrypted binary and relay logs, which are handled in a similar way as the encrypted InnoDB tables are (see Chapter 6, Working with Encrypted InnoDB Tablespaces for details).
When backing up encrypted binary or relay logs, the option
--encrypt-password is required for the
If the server is using the
keyring_encrypted_fileplugin, the user must use the option
--encrypt-passwordto supply to mysqlbackup the keyring file encryption password that has been set on the server with the
keyring_encrypted_file_passwordoption. mysqlbackup then copies from the server the encrypted keyring data file, which contains the replication master key used to encrypt all the passwords for the individual log files, into the
metafolder in the backup.
If the server uses a keyring plugin other than
keyring_encrypted_file, mysqlbackup accesses the keyring to obtain the replication master key and uses it to decrypt the individual log files' passwords. The replication master key is then put into a keyring data file, which is encrypted with the user password supplied with the option
--encrypt-password, and then saved under the
metafolder in the backup with the name
When restoring encrypted binary or relay logs, the same password
used for backing up the database must be supplied with the
--encrypt-password option, as
mysqlbackup performs the following actions:
For a MySQL Enterprise Server: mysqlbackup restores the encrypted keyring data file to its proper location on the server. The restored server has to be started with
keyring_encrypted_fileplugin and with the options
keyring_encrypted_file_password(which should supply the server with the same password used with the
--encrypt-passwordoption during the restore).
For a MySQL Community Server: The
keyring_fileplugin is the only keyring plugin supported by the MySQL Community Server; therefore mysqlbackup uses the password supplied with the
--encrypt-passwordoption to decrypt the keyring data file and then restores it to the proper location on the server for the
keyring_fileplugin to use.
For Incremental Backups.
For a series of incremental backups, if a keyring plugin other
keyring_encrypted_file is being used on
the server, users can provide a different value for
--encrypt-password for any of the
full or incremental backup in the backup sequence. However, the
password used to make the specific full or incremental backup
must be provided to restore that backup. When starting the
server after restoring a series of incremental backups, the
password used for the restore of the last incremental backup
should be supplied to the server (except for a MySQL Community
Server, which will start with the
keyring_file plugin and does not require the
option to start).