Backup encryption uses Percona XtraBackup to encrypt backups of an RDS for MySQL instance. No application changes are required. To use an encrypted backup, you must download it, and then decompress and decrypt it.
Prerequisites
-
Your RDS for MySQL instance must meet the following requirements:
-
Major version: 8.0, 5.7, or 5.6
-
Edition: High-availability Edition
-
Storage type: Premium Local SSDs
-
Background
Key Management Service (KMS) generates and manages the encryption keys. RDS does not provide the keys or certificates required for encryption. You can use keys automatically generated by Alibaba Cloud or your own custom keys.
To use a custom key for backup encryption, you must first create a service-linked role. RDS uses this role to retrieve the list of KMS keys, their properties, and their aliases. This allows the console to display the list of available encryption keys and the related encryption information after backup encryption is enabled.
When you enable backup encryption, RDS tags the key that you select. The backup system then uses the service-linked role and the key to encrypt backups.
Considerations
After backup encryption is enabled, it cannot be disabled.
-
You cannot change the key after backup encryption is enabled.
-
Backup encryption applies only to new backups created after you enable the feature.
-
To restore an encrypted backup to a local environment, you must download and then decrypt the data.
NoteIf you use a backup to restore data on the console, you do not need to manually decrypt it. The backend automatically decrypts the data and then restores it.
-
If you use an existing custom key:
-
If you disable a key, schedule it for deletion, or delete its key material, the key becomes unavailable. Consequently, O&M operations and restores that rely on these backups will fail, potentially affecting instance availability.
-
You must use an Alibaba Cloud account or a RAM user with the following permissions:
{ "Version": "1", "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "backupencryption.rds.aliyuncs.com" } } }, { "Action": [ "kms:ListResourceTags", "kms:TagResource" ], "Effect": "Allow", "Resource": [ "acs:kms:*:*:*" ] } ] }NoteYou can configure permissions and authorize the account on the Resource Access Management (RAM) console. For more information, see Authorize a RAM user to access an RDS instance.
-
Enable backup encryption
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, click Backup Recovery.
-
On the Backup Recovery page, click the Backup Policy tab.
-
In the Backup encryption Settings section, click Edit and turn on Backup Encryption Status.
-
In the Backup encryption Settings dialog box, select a Backup Master Key and click OK.
-
Use Automatically Generated Key
Alibaba Cloud automatically generates a key.
-
Use an Existing Custom Key
Select an existing key from Key Management Service (KMS). If you have not created one, see Create a key.
NoteThe first time you use a custom key, authorization is required. You can follow the on-screen instructions.
-
You do not need to manually decrypt backups when using them within Alibaba Cloud. The system automatically decrypts the data for related operations, such as data restoration. However, if you download an encrypted backup to a local environment, you must manually decrypt the backup before you can use it. To decrypt data, see Decrypt data.
Decrypt data
This section demonstrates the decryption process using an Ubuntu 16.04 system as an example.
Prerequisites
-
Percona XtraBackup is installed. If not, see Percona XtraBackup 2.4 (for MySQL 5.7, 5.6, or 5.5 instances) or Percona XtraBackup 8.0 (for MySQL 8.0 instances).
-
The qpress decompression tool is installed. If not, run the following commands to install it.
wget "http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/183466/cn_zh/1608011575185/qpress-11-linux-x64.tar" tar xvf qpress-11-linux-x64.tar chmod 775 qpress cp qpress /usr/bin -
Requires Python 3.
Procedure
-
Obtain the ciphertext and encryption algorithm of the backup set.
-
Go to the RDS Instances page, select a region in the top navigation bar, and then click the ID of the target instance.
-
In the left-side navigation pane, click Backup Recovery.
-
On the Backup Recovery page, go to the tab.
-
In the Action column of the target backup set, click
> View Encryption Information to obtain the Ciphertext and Encryption Algorithm.
-
-
Call the Decrypt API operation. In the CiphertextBlob parameter, pass the Ciphertext that you obtained in Step 1 to get the Base64-encoded binary string Plaintext.
{ "KeyId": "xxx", "KeyVersionId": "xxx", "Plaintext": "S14dTb16i4Qo", "RequestId": "7474865d-f1fc-49c8-bf4d-7323de86ce59" } -
Base64-decode the
Plaintextstring and convert the resulting bytes to hexadecimal to obtain the decryption key. This example uses a Python 3 script to do this.-
Run
vi decrypt.pyin the command-line interface to open the vi editor. -
Press
ito enter insert mode. Enter the following content, pressESC, and then enter:wqto save the file and exit.import base64 import binascii plaintext = 'S14dTbl6i4Qo**********' # Enter the Plaintext that you obtained in the preceding step between the single quotation marks (''). password = binascii.b2a_hex(base64.b64decode(plaintext)) # Obtain the decryption password and assign it to the password variable. print(str(password, 'utf-8')) # Print the password as a string. -
Run the
python decrypt.pycommand. The command prints the decryption key. The following is a sample key:4b5e1d4db97a********************
-
-
Download the encrypted backup data and then decrypt the data.
-
Run the following command to create a directory, for example,
/home/mysql/data, to store the backup data.mkdir /home/mysql/data -
Decompress the package. Choose a decompression command based on the file suffix.
File type
Decompression command
tar package (.tar.gz)
tar -izxvf test1.tar.gz -C /home/mysql/dataxbstream package (.xb.gz)
gzip -d -c test1.xb.gz | xbstream -x -v -C /home/mysql/dataxbstream file package (_qp.xb)
## Unpack the file first. cat test1_qp.xb | xbstream -x -v -C /home/mysql/data ## Then, decompress the file. ### For MySQL 5.6/5.7 innobackupex --decompress --remove-original /home/mysql/data ### For MySQL 8.0 xtrabackup --decompress --remove-original --target-dir=/home/mysql/dataxbstream qpress package (_xb.qp)
qpress -do test1_xb.qp | xbstream -x -v -C /home/mysql/dataAfter decompression, most data files have the
.xbcryptsuffix, indicating they are encrypted.backup-my.cnf.xbcrypt testdb dbfortest xtrabackup_binlog_info.xbcrypt ibdata1.xbcrypt xtrabackup_checkpoints mysql xtrabackup_info.xbcrypt performance_schema xtrabackup_logfile.xbcrypt rds_table_info_json_105244.log xtrabackup_slave_filename_info.xbcrypt _recycle_bin_ xtrabackup_slave_info.xbcrypt -
Run the following command to decrypt the data.
xtrabackup --decompress --remove-original --decrypt=AES256 --encrypt-key=4b5e1d4db97a******************** --target-dir=/home/mysql/dataAfter the command runs, the
.xbcryptsuffix disappears from the filenames, confirming the data is decrypted.backup-my.cnf testdb dbfortest xtrabackup_binlog_info ibdata1 xtrabackup_checkpoints mysql xtrabackup_info performance_schema xtrabackup_logfile rds_table_info_json_105244.log xtrabackup_slave_filename_info recycle_bin xtrabackup_slave_info