生成加密秘钥

openssl rand -base64 32 > /data/backups/keyfilextrabackup_key

备份

创建一个最低权限的数据库用户

CREATE USER 'bkpuser'@'localhost' IDENTIFIED BY 's3cr%T';
GRANT BACKUP_ADMIN, PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'bkpuser'@'localhost';
GRANT SELECT ON performance_schema.log_status TO 'bkpuser'@'localhost';
GRANT SELECT ON performance_schema.keyring_component_status TO bkpuser@'localhost';
GRANT SELECT ON performance_schema.replication_group_members TO bkpuser@'localhost';
FLUSH PRIVILEGES;

加密备份

xtrabackup --backup --encrypt=AES256 --encrypt-key-file=/data/backups/keyfile --target-dir=/data/backups --user=bkpuser --password=s3cr%T

或者选择直接使用

xtrabackup --backup --encrypt=AES256 --encrypt-key="密钥" --target-dir=/data/backups

使用 --encrypt-threads（启用多线程并行加密） 和 --encrypt-chunk-size（指定每个加密线程的工作加密缓冲区的大小以字节为单位，默认大小为 64K），可以加快加密过程

恢复

解密加密备份

xtrabackup --target-dir=/data/backups/ --decrypt=AES256 --encrypt-key="密钥"

或者

xtrabackup --target-dir=/data/backups/ --decrypt=AES256 --encrypt-key-file=/data/backups/keyfile

准备恢复备份

xtrabackup --prepare --target-dir=/data/backups/

停止服务，转移原数据目录

systemctl stop mysql
mkdir /tmp/mysqlbak
mv /var/lib/mysql/* /tmp/mysqlbak/

恢复备份

xtrabackup --copy-back --target-dir=/data/backups/ --datadir=/var/lib/mysql

恢复文件权限

chown -R mysql:mysql /var/lib/mysql

启动服务

systemctl start mysql