hey all,
I have a database that is encrypted and the key stored in keyring_vault … I want to use xtrabackup to backup it using xbstream, move the files to s3 and restore to AWS aurora … I assume that before creating the backup I need to decrypt the encrypted data as in Aurora the keyring will not be available … can I do this in general and if yes how?
I tried
xtrabackup --backup --user=root --password=$PWD --keyring-vault-config=/home/mysql/keyring_vault_sand.conf --decrypt --stream=xbstream
but I get an error
xtrabackup: [ERROR] xtrabackup: Error while setting value ‘–stream=xbstream’ to ‘decrypt’.
I guess it was a longshot … but still
btw for the sake of tests I removed --decrypt and I got this error
2024-10-22T00:54:24.582866-06:00 0 [ERROR] [MY-012657] [InnoDB] Encryption can’t find master key, please check the keyring is loaded.
2024-10-22T00:54:24.582878-06:00 0 [Note] [MY-011825] [InnoDB] Encryption information in datafile: ./leodb/table1.ibd can’t be decrypted, please confirm that keyring is loaded.
2024-10-22T00:54:24.582889-06:00 0 [Note] [MY-011825] [Xtrabackup] Failed to decrypt table ./leodb/table1.ibd with space id 11512. Will check if encrytion key has been parsed at the end of backup.
why xtrabackup can not acquire the keyring … not that /home/mysql/keyring_vault_sand.conf holds the correct information and the path is correct
Thanks in advance
Hey @Lazar_Tomovski,
According to AWS docs:
You can’t restore from an encrypted source database, but you can restore to an encrypted Amazon RDS DB instance.
Looks like you will have to decrypt all tables before importing them into RDS.
I do want to question you here. In the past 4 months, I’ve performed 3 migrations AWAY from Aurora because my customers got sucked into the AWS marketing around Aurora. None of them needed Aurora; they needed simple RDS MySQL. I was able to save them thousands of $$ per month by showing them (with evidence/metrics) that they were underutilizing Aurora and paying for something they did not need.
Please don’t get sucked into the marketing. Unless you are pushing 10K-20K queries per second, I would strongly reconsider Aurora and stick with RDS MySQL. It might be best to first migrate into RDS MySQL, test it out, and from there you can simply migrate to Aurora if you still think it is needed.
hey @matthewb,
Thanks for the quick and prompt response … so according to you, the only option is to decrypt the tables in place and then user xtrabackup to create the backup and move it to AWS?
as for the MySQL tip … thanks a lot … I appreciate the tips you are providing but the customer is looking to adopt serverless … so this is the only option currently.
Best Regards
No, not according to me; according to AWS documentation that I linked and quoted above. 
But yes, you would need to ALTER TABLE… ENCRYPTION=‘N’ on all tables first (requires full rebuild) and then you can export them with xtrabackup into S3 and restore to RDS. Once in RDS, you can redo the encryption (or just check the box that says encrypted EBS when making the RDS).
Again, I would question this. Serverless is a dangerous trap (one designed by AWS). Don’t let fancy marketing, and promises of the next-best-thing lead you to the wrong decision. Used incorrectly, Serverless can cost 5x-10x more than normal RDS. If your customer has a consistent workload, RDS MySQL will be less expensive.
Yeah @matthewb … I understand that the limitation is coming from AWS. Apologies if I didn’t explain myself clearly earlier.
Thank you for your help and support.