maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #03612
Re: Backing up tables with data at rest encryption
HI
Sorry should have mentioned that the InnoDB logs are not encrypted
show variables like '%encrypt%';
+------------------------------------------+---------+
| Variable_name | Value |
+------------------------------------------+---------+
| aria_encrypt_tables | OFF |
| encrypt_binlog | OFF |
| encrypt_tmp_disk_tables | OFF |
| encrypt_tmp_files | OFF |
| file_key_management_encryption_algorithm | aes_cbc |
| innodb_default_encryption_key_id | 1 |
| innodb_encrypt_log | OFF |
| innodb_encrypt_tables | ON |
| innodb_encryption_rotate_key_age | 1 |
| innodb_encryption_rotation_iops | 100 |
| innodb_encryption_threads | 0 |
+------------------------------------------+————+
The the table is encrypted:
select *
-> from information_schema.innodb_tablespaces_encryption
-> where encryption_scheme=1
-> ;
+-------+----------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+
| SPACE | NAME | ENCRYPTION_SCHEME | KEYSERVER_REQUESTS | MIN_KEY_VERSION | CURRENT_KEY_VERSION | KEY_ROTATION_PAGE_NUMBER | KEY_ROTATION_MAX_PAGE_NUMBER | CURRENT_KEY_ID |
+-------+----------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+
| 35 | mytest/customers_big | 1 | 1 | 1 | 1 | NULL | NULL | 1 |
+-------+----------------------+-------------------+--------------------+-----------------+---------------------+--------------------------+------------------------------+----------------+
1 row in set (0.00 sec)
Mysqldump works fine to backup data but of course it dumps it into plain text and it’s generally a rubbish backup method.
Kind Regards
Lee
> On 1 Jun 2016, at 16:13, Guillaume Lefranc <guillaume.lefranc@xxxxxxxxxxx> wrote:
>
> Hello,
>
> on the contrary, it is clearly stated:
>
> Percona XtraBackup cannot back up instances that use encrypted InnoDB log files.
>
> So, either don't encrypt the log files (potentially unsafe), or use filesystem backups.
>
> Regards
> GL
>
>
> On Wed, Jun 1, 2016 at 5:02 PM Lee Bennett <lee@xxxxxxxxxxxxxx <mailto:lee@xxxxxxxxxxxxxx>> wrote:
> Hi
>
> We are in the process of setting up data at rest encryption encryption with MariaDB 10.1.13 so we can encrypt specific table. This works without any problem however when I try and backup with Percona Xtrabackup it fails saying table appears to be corrupted:
>
> 60601 14:53:46 [01] ...done
> 160601 14:53:46 [01] Streaming ./mytest/customers_big.ibd
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> 160601 14:53:46 >> log scanned up to (3146117051)
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Database page corruption detected at page 1, retrying...
> [01] xtrabackup: Error: failed to read page after 10 retries. File ./mytest/customers_big.ibd seems to be corrupted.
> [01] xtrabackup: Error: xtrabackup_copy_datafile() failed.
> [01] xtrabackup: Error: failed to copy datafile.
>
> This says to me that Xtrabackup isn’t compatible with MariaDB encryption however the documents kind of give the impression it is: https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ <https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/>
>
> Regards
> Lee
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss <https://launchpad.net/~maria-discuss>
> Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx <mailto:maria-discuss@xxxxxxxxxxxxxxxxxxx>
> Unsubscribe : https://launchpad.net/~maria-discuss <https://launchpad.net/~maria-discuss>
> More help : https://help.launchpad.net/ListHelp <https://help.launchpad.net/ListHelp>
> --
> Guillaume Lefranc
> Remote DBA Services Manager
> MariaDB Corporation
References
