Documentation Home
MySQL Enterprise Backup 8.4 User's Guide
Related Documentation Download this Manual
PDF (US Ltr) - 1.3Mb
PDF (A4) - 1.3Mb


Chapter 10 Encryption for Backups

In order to enhance security for backed up data, MySQL Enterprise Backup provides encryption for single-file backups. The encryption can also be applied when creating a partial, compressed, or incremental single-file backups, and for streaming backup data to another device or server.

The encryption is performed with Advanced Encryption Standard (AES) block cipher in CBC mode, with a key string of 64 hexadecimal digits supplied by the user. Decryption is performed using the same key. The key can be created manually just by putting together 64 random hexadecimal bytes, or it can be generated by shasum (or similar programs for hash calculations that work on your platform) by supplying it with a keyphrase:

$ echo -n "my secret passphrase" | shasum -a 256
a7e845b0854294da9aa743b807cb67b19647c1195ea8120369f3d12c70468f29  -

Note that the - at the end is not part of the key and should be ignored. Supply the key to mysqlbackup with the --key option, or paste the key into a key file and supply the file's pathname to mysqlbackup with the --key-file option.

To generate a key randomly, you can use tools like OpenSSL:

$ openssl rand -hex 32
8f3ca9b850ec6366f4a54feba99f2dc42fa79577158911fe8cd641ffff1e63d6

To put an OpenSSL-generated key into a key file, you can do the following:

$ openssl rand  -hex 32 >keyfile
$ cat keyfile
6a1d325e6ef0577f3400b7cd624ae574f5186d0da2eeb946895de418297ed75b

The encryption function uses MySQL Enterprise Backup's own encryption format, which means decryption is possible only by using MySQL Enterprise Backup. For Unix-like operating systems, different magic numbers are used to identify encrypted and unencrypted backup files. For example, you can add these lines to the /etc/magic file of your operating system:

0   string  MBackuP\n   MySQL Enterprise Backup backup image
0   string  MebEncR\n   MySQL Enterprise Backup encrypted backup

The file command can then be used to identify the file types:

  $ file /backups/image1 /backups/image2
  /backups/image1: MySQL Enterprise Backup backup image
  /backups/image2: MySQL Enterprise Backup encrypted backup

The command options used for encryption and decryption are --encrypt, --decrypt, --key, and --key-file. These options can be used with various operations on backup images. See Section 20.13, “Encryption Options” for details.

The following is a sample command for creating an encrypted backup:

mysqlbackup --defaults-file=/home/dbadmin/backup.cnf --backup-image=/backups/image.enc --encrypt \
   --key=23D987F3A047B475C900127148F9E0394857983645192874A2B3049570C12A34 \
   --backup-dir=/var/tmp/backup  backup-to-image

To use a key file for the same task:

mysqlbackup --defaults-file=/home/dbadmin/backup.cnf --backup-image=/backups/image.enc --encrypt
   --key-file=/meb/key  --backup-dir=/var/tmp/backup  backup-to-image

To decrypt a backup when extracting it:

mysqlbackup --backup-image=/backups/image.enc --decrypt
   --key-file=/meb/key --backup-dir=/backups/extract-dir  extract

To validate an encrypted backup image:

mysqlbackup --backup-image=/logs/encimage.bi --decrypt --key-file=/meb/enckey validate