[MDEV-11116] Xtrabackup doesn't work for Data Encryption at Rest in any configuration Created: 2016-10-23  Updated: 2016-10-23  Resolved: 2016-10-23

Status: Closed
Project: MariaDB Server
Component/s: Documentation, Encryption, Scripts & Clients, Storage Engine - InnoDB
Affects Version/s: 10.1
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Valerie Parham-Thompson Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 0
Labels: None


 Description   

This may be just a documentation bug.

Via https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/: "Percona XtraBackup cannot back up instances that use encrypted InnoDB log files."

In my testing, even when only encrypting the tables (not the log files) Xtrabackup will report that the files are corrupted. Have you been able to show Xtrabackup working with any encrypted (not log) files?

Here are some details:

MariaDB [(none)]> show global variables like '%encr%';
 
+------------------------------------------+---------+
 
| Variable_name                            | Value   |
 
+------------------------------------------+---------+
 
| aria_encrypt_tables                      | OFF     |
 
| encrypt_binlog                           | OFF     |
 
| encrypt_tmp_disk_tables                  | OFF     |
 
| encrypt_tmp_files                        | OFF     |
 
| file_key_management_encryption_algorithm | aes_cbc |
 
| innodb_default_encryption_key_id         | 1       |
 
| innodb_encrypt_log                       | OFF     |
 
| innodb_encrypt_tables                    | ON      |
 
| innodb_encryption_rotate_key_age         | 1       |
 
| innodb_encryption_rotation_iops          | 100     |
 
| innodb_encryption_threads                | 4       |
 
+------------------------------------------+---------+
 
 
 
MariaDB [(none)]> show global variables like 'innodb_file_per_table';
 
+-----------------------+-------+
 
| Variable_name         | Value |
 
+-----------------------+-------+
 
| innodb_file_per_table | ON    |
 
+-----------------------+-------+

And the backup output:

[root@encr_maria_just_tablespace ~]# innobackupex --user=root --password=password --socket=/var/lib/mysql/mysql.sock /backup/
 
161023 10:20:29 innobackupex: Starting the backup operation
 
161023 10:20:29 Connecting to MySQL server host: localhost, user: root, password: set, port: 0, socket: /var/lib/mysql/mysql.sock
 
Using server version 10.1.18-MariaDB
 
innobackupex version 2.4.4 based on MySQL server 5.7.13 Linux (x86_64) (revision id: df58cf2)
 
xtrabackup: uses posix_fadvise().
 
xtrabackup: cd to /var/lib/mysql/
 
xtrabackup: open files limit requested 0, set to 1024
 
xtrabackup: using the following InnoDB configuration:
 
xtrabackup:   innodb_data_home_dir = .
 
xtrabackup:   innodb_data_file_path = ibdata1:12M:autoextend
 
xtrabackup:   innodb_log_group_home_dir = ./
 
xtrabackup:   innodb_log_files_in_group = 2
 
xtrabackup:   innodb_log_file_size = 50331648
 
InnoDB: Number of pools: 1
 
161023 10:20:29 >> log scanned up to (1629949)
 
xtrabackup: Generating a list of tablespaces
 
InnoDB: Allocated tablespace ID 4 for schema/t2, old maximum was 0
 
161023 10:20:29 [01] Copying ./ibdata1 to /backup/2016-10-23_10-20-29/ibdata1
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
161023 10:20:30 >> log scanned up to (1629949)
 
[01] xtrabackup: Database page corruption detected at page 1, retrying...
 
[01] xtrabackup: Error: failed to read page after 10 retries. File ./ibdata1 seems to be corrupted.
 
[01] xtrabackup: Error: xtrabackup_copy_datafile() failed.
 
[01] xtrabackup: Error: failed to copy datafile.

This is a fresh testing instance, xtrabackup works before enabling innodb_encrypt_tables and fails consistently after enabling that and inserting a single row.

Again, I think this is as intended, but wanted to confirm based on wording in documentation.

Thank you in advance for looking.

 Comments   
Comment by Vladislav Vaintroub [ 2016-10-23 ]

Fixed documentation. Percona Xtrabackup does not understand our encryption, this is accurate.

Comment by Valerie Parham-Thompson [ 2016-10-23 ]

Thank you for the confirmation and the edit, Vladislav!

Generated at Thu Feb 08 07:47:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.