Documentation Home
MySQL Enterprise Backup 4.1 User's Guide
Related Documentation Download this Manual
PDF (US Ltr) - 1.3Mb
PDF (A4) - 1.3Mb


MySQL Enterprise Backup 4.1 User's Guide  / ...  / mysqlbackup Command Reference  / mysqlbackup Command-Line Options  /  Options for Working with Encrypted InnoDB Tablespaces

16.14 Options for Working with Encrypted InnoDB Tablespaces

Starting with release 4.0.2, MySQL Enterprise Backup supports encrypted InnoDB tablespaces. For details on how the MySQL server encrypts and decrypts InnoDB tables, seeInnoDB Data-at-Rest Encryption. SeeChapter 6,Working with Encrypted InnoDB Tables on howmysqlbackup commands handle encrypted InnoDB tables.

When InnoDB tablespace encryption uses Oracle Key Vault (OKV) for encryption key management, the feature is referred to asMySQL Enterprise Transparent Data Encryption (TDE).

The following are the command-line options for working with encrypted InnoDB tables:

  • --keyring=VALUE

    Command-Line Format--keyring=VALUE
    TypeString

    (Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier) The kind of keyring plugin used for master encryption key management. Currently, there are two possible values:

    • keyring_file: Thekeyring_file plugin is used, which means the master encryption key is stored in a keyring file, the location of which is specified by the--keyring_file_data option.

    • keyring_okv: Thekeyring_okv plugin is used, which means the master keys are managed by an Oracle Key Vault (OKV); the location of the key vault's endpoint directory is specified by the--keyring_okv_conf_dir option.

    The option must be specified for copy-back-and-apply-log operations, copy-back operations that use the--generate-new-master-key option, and offline backups. For online backups, the keyring plugin setting on the server overrides the value set by this option.

  • --keyring_file_data=PATH

    Command-Line Format--keyring_file_data=PATH
    TypeFile name

    (Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier) Path to the keyring file. The option is required when the option--keyring has the valuekeyring_file. For online backups, the--keyring_file_data setting on the server overrides the value set by this option.

  • --keyring_okv_conf_dir=PATH

    Command-Line Format--keyring_okv_conf_dir=PATH
    TypeDirectory name

    (Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier) Path to the Oracle Key Vault (OKV) endpoint directory. The option is required when the option--keyring has the valuekeyring_okv. For online backups, the--keyring_okv_conf_dir setting on the server overrides the value set by this option.

  • --encrypt-password[=STRING]

    Command-Line Format--encrypt-password=STRING
    TypeString

    For MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier: The user-supplied password by whichmysqlbackup encrypts the encryption keys for the tablespaces.

    For MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.21 and later: The user-supplied password by whichmysqlbackup encrypts the master encryption key, which is used to encrypt the encryption keys for the InnoDB tablespaces. If the server is using thekeyring_encrypted_file plugin, the password supplied with the option must match the value of the system variablekeyring_encrypted_file_password on the server. If different passwords were used for different backups in a sequence of full and incremental backups, make sure the very password used to create an individual backup is supplied when performing anapply-log,apply-incremental-backup, orcopy-back-and-apply-log operation with it.

    The option must be used when backing up a server that has a keyring plugin enabled for InnoDB table encryption and for restoring a backup containing encrypted InnoDB tables. The same password supplied during backup must be supplied again during acopy-back-and-apply-log,apply-log, or anapply-incremental-backup operation for the backup, ormysqlbackup will error out when it encounters encrypted InnoDB tables during the operation.

    Users who do not want to supply the password on the command line or in a defaults file may use the option without specifying any value;mysqlbackup then asks the user to type in the password before the operation starts.

  • --generate-new-master-key

    Command-Line Format--generate-new-master-key

    (Only for MySQL Enterprise Backup 4.1.0, or MySQL Enterprise Backup 4.1.1 working with MySQL 5.7.20 and earlier) Generate new master key. During a restore, when the option is used,mysqlbackup generates a new master key and uses it to reencrypt all the tablespace keys. To use the--generate-new-master-key option, the--keyring option, as well as the--keyring_file_data option (when--keyring=keyring_file) or--keyring_okv_conf_dir option (when--keyring=keyring_okv) must be specified, so thatmysqlbackup can access the keyring.