In order to enhance security for backed up data, since version 3.10, MySQL Enterprise Backup provides encryption for single-file backups. The encryption can also be applied when creating a partial, compressed, or incremental single-file backups, and for streaming backup data to another device or server.
The encryption is performed with Advanced Encryption Standard (AES) block cipher in CBC mode, with a key string of 64 hexadecimal digits supplied by the user. Decryption is performed using the same key. The key can be created manually just by putting together 64 random hexadecimal bytes, or it can be generated by shasum (or similar programs for hash calculations that work on your platform) by supplying it with a keyphrase:
$ echo -n "my secret passphrase" | shasum -a 256
a7e845b0854294da9aa743b807cb67b19647c1195ea8120369f3d12c70468f29 -
Note that the “-” at the end is not part of the key and
should be ignored. Supply the key to mysqlbackup
with the --key option, or paste the key
into a key file and supply the file's pathname to
mysqlbackup with the
--key-file option.
To generate a key randomly, you can use tools like OpenSSL:
$ openssl rand 32 -hex
8f3ca9b850ec6366f4a54feba99f2dc42fa79577158911fe8cd641ffff1e63d6
To put an OpenSSL-generated key into a key file, you can do the following:
$openssl rand 32 -hex >keyfile$cat keyfile6a1d325e6ef0577f3400b7cd624ae574f5186d0da2eeb946895de418297ed75b
The encryption function uses MySQL Enterprise Backup's own encryption
format—decryption is possible only by using MySQL Enterprise Backup. For
Unix-like operating systems, different magic numbers are used to
identify encrypted and unencrypted backup files. For example, you
can add these lines to the /etc/magic file of
your operating system:
0 string MBackuP\n MySQL Enterprise Backup backup image 0 string MebEncR\n MySQL Enterprise Backup encrypted backup
The file command can then be used to identify the file types:
$ file /backups/image1 /backups/image2 /backups/image1: MySQL Enterprise Backup backup image /backups/image2: MySQL Enterprise Backup encrypted backup
The command options used for encryption and decryption are
--encrypt,
--decrypt,
--key, and
--key-file. These options can be used
with various operations on backup images. See
Section 5.1.14, “Encryption Options” for details.
The following is a sample command for creating an encrypted backup:
mysqlbackup --backup-image=/backups/image.enc --encrypt --key=23D987F3A047B475C900127148F9E0394857983645192874A2B3049570C12A34 --backup-dir=/var/tmp/backup backup-to-image
To use a key file for the same task:
mysqlbackup --backup-image=/backups/image.enc --encrypt --key-file=/meb/key --backup-dir=/var/tmp/backup backup-to-image
To decrypt a backup when extracting it:
mysqlbackup --backup-image=/backups/image.enc --decrypt --key-file=/meb/key --backup-dir=/backups/extract-dir extract
To validate an encrypted backup image:
mysqlbackup --backup-image=/logs/encimage.bi --decrypt --key-file=/meb/enckey validate
Table of Contents
This section describes how you can use MySQL Enterprise Backup in combination with media management software (MMS) products. Such products are typically used for managing large volumes of backup data, often with high-capacity backup devices such as tape drives.
Tape drives are affordable, high-capacity storage devices for backup data. The MySQL Enterprise Backup product can interface with media management software (MMS) such as Oracle Secure Backup (OSB) to drive MySQL backup and restore jobs. The media management software must support Version 2 or higher of the System Backup to Tape (SBT) interface.
On the MySQL Enterprise Backup side, you run the backup job as a single-file backup
using the --backup-image parameter,
with the prefix sbt: in front of the filename,
and optionally pass other --sbt-* parameters to
the mysqlbackup command to control various
aspects of the SBT processing. The --sbt-*
options are listed in
Section 5.1.10, “Single-File Backup Options”.
On the OSB side, you can schedule MySQL Enterprise Backup jobs by specifying a
configurable command that calls mysqlbackup.
You control OSB features such as encryption by defining a
“storage selector” that applies those features to a
particular backup, and passing the name of the storage selector to
OSB using the MySQL Enterprise Backup parameter
--sbt-database-name=.
storage_selector
To back up MySQL data to tape:
Specify the
--backup-image=sbt:
parameter of the mysqlbackup command to
uniquely identify the backup data. The namesbt:
prefix sends the backup data to the MMS rather than a local
file, and the remainder of the argument value is used as the
unique backup name within the MMS.
Specify the --sbt-database-name parameter of
the mysqlbackup command to enable the OSB
operator to configure a storage selector for backups from this
MySQL source. (This parameter refers to a “storage
selector” defined by the OSB operator, not to any MySQL
database name.) By default, mysqlbackup
supplies a value of MySQL for this MMS
parameter. The argument to this option is limited to 8 bytes.
If you have multiple media management programs installed, to
select the specific SBT library to use, specify the
--sbt-lib-path parameter of the
mysqlbackup command. If you do not specify
the --sbt-lib-path parameter,
mysqlbackup uses the normal operating
system paths and environment variables to locate the SBT
library, which is named libobk.so on Linux
and Unix systems and ORASBT.DLL on Windows
systems. When you specify --sbt-lib-path, you
can use a different filename for the library in addition to
specifying the path.
Specify any other product-specific settings that are normally
controlled by environment variables using the
--sbt-environment option.
To restore MySQL data from tape:
Specify the
--backup-image=sbt:
parameter of the mysqlbackup command as
part of the restore operation. Use the same
namename value as during the original
backup. This single parameter retrieves the appropriate data
from the appropriate tape device.
Optionally use the --sbt-lib-path option,
using the same values as for the backup operation.
Specify any other product-specific settings that are normally
controlled by environment variables using the
--sbt-environment option.
For product-specific information about Oracle Secure Backup, see the Oracle Secure Backup documentation.
Example 9.1 Sample mysqlbackup Commands Using MySQL Enterprise Backup with Oracle Secure Backup
# Uses libobk.so or ORASBT.DLL in standard places): mysqlbackup --port=3306 --protocol=tcp --user=root --password \ --backup-image=sbt:backup-shoeprod-2011-05-30 \ --backup-dir=/backup backup-to-image # Associates this backup with storage selector 'shoeprod': mysqlbackup --port=3306 --protocol=tcp --user=root --password \ --backup-image=sbt:backup-shoeprod-2011-05-30 \ --sbt-database-name=shoeprod \ --backup-dir=/backup backup-to-image # Uses an alternative SBT library, /opt/Other-MMS.so: mysqlbackup --port=3306 --protocol=tcp --user=root --password \ --backup-image=sbt:backup-shoeprod-2011-05-30 \ --sbt-lib-path=/opt/Other-MMS.so \ --backup-dir=/backup backup-to-image