Not the answer you need?
Register and ask your own question!

Encrypted and incremental backups.

jbljbl EntrantInactive User Role Beginner

I'm currently writing backups and restorations scripts, on the basis of innobackupex. I need the backups to be encrypted and incremental.

Therefore, In order to enable incremental backups on the basis of an encrypted basedir, I'm using the '--extra-lsndir' option to save an alternative cleartext 'xtrabackup_checkpoints' file. I think it is a good solution (this solution comes from this blog post).

My question is :
Can I safely set the '--extra-lsndir' value to the same value as the backupDir, and then delete <backupDir>/xtrabackup_checkpoints.xbcrypt ?


  • Nickolay IhalainenNickolay Ihalainen Entrant Legacy User Role Beginner

    For incremental backups you need only a single file xtrabackup_checkpoints or
    if you are using exra-lsndir option or even a single number with --incremental-lsn option.

    You can get LSN for incremental from innobackupex script output or from xtrabackup_info: innodb_to_lsn.

    There is a full instruction for backup and restore for xtrabackup 2.2.10:

    openssl enc -aes-256-cbc -pass pass:Password -P -md sha1
    get the key from iv, e.g.:
    iv =4D27E0ED263A8F2BAF337DED0A5FFFBE

    You will have a different one because the salt is changed every time you are running openssl tool.

    innobackupex --encrypt=AES256 --encrypt-key="4D27E0ED263A8F2BAF337DED0A5FFFBE" .

    For incremental backups you should get a correct LSN from previous backup output or from xtrabackup_info (innodb_to_lsn parameter). Well from documentation you can get LSN from xtrabackup_checkpoints but this file is encrypted, see .

    innobackupex --encrypt=AES256 --encrypt-key="4D27E0ED263A8F2BAF337DED0A5FFFBE" --incremental --incremental-lsn=<lsn found> .

    For restore:
    # change directory to base backup:
    innobackupex --decrypt=AES256 --encrypt-key=4D27E0ED263A8F2BAF337DED0A5FFFBE .
    # check if files decrypted correctly or make a backup copy before restore
    # e.g. xtrabackup_checkpoints should contain a valid text and data
    # remove xbcrypt files
    find . -name '*.xbcrypt' -exec rm {} +

    Repeat this procedure with every backup directory you need. If you are using compression you can specify decompress in the same command line to save a time.

    # from full backup directory
    innobackupex --apply-log --redo-only .
    # from full backup directory (not incremental)
    # use absolute path to incremental directory
    innobackupex --apply-log . --redo-only --incremental-dir=<path to incremental> # run this if it's not a last in incrementals chain
    # ...
    innobackupex --apply-log . --incremental-dir=<path to incremental> # for the last incremental backup
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.