Encrypted and incremental backups.


I’m currently writing backups and restorations scripts, on the basis of innobackupex. I need the backups to be encrypted and incremental.

Therefore, In order to enable incremental backups on the basis of an encrypted basedir, I’m using the ‘–extra-lsndir’ option to save an alternative cleartext ‘xtrabackup_checkpoints’ file. I think it is a good solution (this solution comes from this blog post).

My question is :
Can I safely set the ‘–extra-lsndir’ value to the same value as the backupDir, and then delete /xtrabackup_checkpoints.xbcrypt ?


For incremental backups you need only a single file xtrabackup_checkpoints or
if you are using exra-lsndir option or even a single number with --incremental-lsn option.

You can get LSN for incremental from innobackupex script output or from xtrabackup_info: innodb_to_lsn.

There is a full instruction for backup and restore for xtrabackup 2.2.10:

openssl enc -aes-256-cbc -pass pass:Password -P -md sha1
get the key from iv, e.g.:
iv =4D27E0ED263A8F2BAF337DED0A5FFFBE

You will have a different one because the salt is changed every time you are running openssl tool.

innobackupex --encrypt=AES256 --encrypt-key=“4D27E0ED263A8F2BAF337DED0A5FFFBE” .

For incremental backups you should get a correct LSN from previous backup output or from xtrabackup_info (innodb_to_lsn parameter). Well from documentation you can get LSN from xtrabackup_checkpoints but this file is encrypted, see https://bugs.launchpad.net/percona-xtrabackup/+bug/1444255 .

innobackupex --encrypt=AES256 --encrypt-key=“4D27E0ED263A8F2BAF337DED0A5FFFBE” --incremental --incremental-lsn= .

For restore:

change directory to base backup:

innobackupex --decrypt=AES256 --encrypt-key=4D27E0ED263A8F2BAF337DED0A5FFFBE .

check if files decrypted correctly or make a backup copy before restore

e.g. xtrabackup_checkpoints should contain a valid text and data

remove xbcrypt files

find . -name ‘*.xbcrypt’ -exec rm {} +

Repeat this procedure with every backup directory you need. If you are using compression you can specify decompress in the same command line to save a time.

from full backup directory

innobackupex --apply-log --redo-only .

from full backup directory (not incremental)

use absolute path to incremental directory

innobackupex --apply-log . --redo-only --incremental-dir= # run this if it’s not a last in incrementals chain

innobackupex --apply-log . --incremental-dir= # for the last incremental backup