ZRM for MySQL encryption

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)
Jump to navigationJump to search

ZRM for MySQL supports backup data encryption using tools available on the platform such as GPG (GnuPG). The backup data is encrypted on the machine running ZRM for MySQL. The backup index is not encrypted. Only the backup images are encrypted if the remote MySQL server are being backed up

  • For logical backups, it is recommended to use SSL for encryption of the data being transferred. Use ssl-* options in backup set parameters in mysql-zrm.conf
  • For raw backups, it is recommended to use the ssh based copy plugin.

ZRM for MySQL does not provide key management. The user is expected to create and configure encryption keys as well as passphrases. It is important the keys are kept securely, otherwise, database backup images cannot be restored.

Backup data encryption is configured by mysql-zrm.conf parameters.

  • encrypt: Enables/Disables data encryption for the backup set. Default is no encryption. Value 1 means backup data will be encrypted. Value 0 means no encryption. If encryption is enabled, the encrypt-plugin must be specified.
  • encrypt-plugin: Full path to the command used for encryption. The plugin should encrypt the data from the standard input and output encrypted data back to the standard output. A sample encrypt plugin is available in /usr/share/mysql-zrm/plugins/encrypt.pl. The template encrypt plugin uses GPG (GNU Privacy Guard). Modify the sample plugin to suit your needs.
  • decrypt-option: The command line option of the encrypt-plugin to decrypt the backup data. This option is used during database recovery.
  • passfile : File containing the passphrase used for encryption. This parameter is read by the sample GPG based encryption plugin - encrypt.pl.