We hacked SSL encryption into wsrep_sst_xtrabackup due to its lack of encryption natively. After upgrading today, we’ve noticed support for xbstream. However our cluster (after upgrading) doesn’t use xbstream automatically hence we’re back where we started: unencrypted IST/SST traffic. On a WAN cluster that’s not a good thing. Anybody can point me in the right direction on how to force Percona to use xbstream (more important, encryption) instead of tar?
Encryption can be enabled in SST by adding PXB encryption options to my.cnf under [xtrabackup]. There is currently a bug with PXB encryption - https://bugs.launchpad.net/percona-x…p/+bug/1190610 - after that is fixed, you can use it with PXC unchanged. In the development version of wsrep_sst_xtrabackup I have added openssl based encryption (which is independent on PXB). Take a look at https://bazaar.launchpad.net/~percon…_xtrabackup.sh for details.
Edit: The linked script is incorrect. Here is the right one https://bazaar.launchpad.net/~raghavendra-prabhu/percona-xtradb-cluster/pxc-1193215/view/head:/Percona-Server/scripts/wsrep_sst_xtrabackup.sh