MySQL Enterprise Backup 8.0.14 and later supportsencrypted binary and relay logs, which are handled in a similar way as the encrypted InnoDB tables are (seeChapter 6,Working with Encrypted InnoDB Tablespaces for details).
When backing up encrypted binary or relay logs, the option--encrypt-password is required for the following purposes:
If the server is using the
keyring_encrypted_fileplugin, the user must use the option--encrypt-passwordto supply tomysqlbackup the keyring file encryption password that has been set on the server with thekeyring_encrypted_file_passwordoption.mysqlbackup then copies from the server the encrypted keyring data file, which contains the replication master key used to encrypt all the passwords for the individual log files, into themetafolder in the backup.If the server uses a keyring plugin other than
keyring_encrypted_file,mysqlbackup accesses the keyring to obtain the replication master key and uses it to decrypt the individual log files' passwords. The replication master key is then put into a keyring data file, which is encrypted with the user password supplied with the option--encrypt-password, and then saved under themetafolder in the backup with the namekeyring_kef.
When restoring encrypted binary or relay logs, the same password used for backing up the database must be supplied with the--encrypt-password option, asmysqlbackup performs the following actions:
For a MySQL Enterprise Server:mysqlbackup restores the encrypted keyring data file to its proper location on the server. The restored server has to be started with
keyring_encrypted_fileplugin and with the optionskeyring_encrypted_file_dataandkeyring_encrypted_file_password(which should supply the server with the same password used with the--encrypt-passwordoption during the restore).For a MySQL Community Server: The
keyring_fileplugin is the only keyring plugin supported by the MySQL Community Server; thereforemysqlbackup uses the password supplied with the--encrypt-passwordoption to decrypt the keyring data file and then restores it to the proper location on the server for thekeyring_fileplugin touse.
For Incremental Backups. For a series of incremental backups, if a keyring plugin other thankeyring_encrypted_file is being used on the server, users can provide a different value for--encrypt-password for any of the full or incremental backup in the backup sequence. However, the password used to make the specific full or incremental backup must be provided to restore that backup. When starting the server after restoring a series of incremental backups, the password used for the restore of the last incremental backup should be supplied to the server (except for a MySQL Community Server, which will start with thekeyring_file plugin and does not require thekeyring_encrypted_file_password option to start).