Merge lp://staging/~gl-az/percona-xtrabackup/BT-23557-2.1-encrypted_stream into lp://staging/percona-xtrabackup/2.1
Status: | Merged |
---|---|
Approved by: | Alexey Kopytov |
Approved revision: | no longer in the source branch. |
Merged at revision: | 520 |
Proposed branch: | lp://staging/~gl-az/percona-xtrabackup/BT-23557-2.1-encrypted_stream |
Merge into: | lp://staging/percona-xtrabackup/2.1 |
Diff against target: |
3979 lines (+2797/-329) 42 files modified
innobackupex (+116/-23) src/Makefile (+22/-9) src/datasink.c (+15/-3) src/datasink.h (+4/-1) src/ds_archive.c (+268/-0) src/ds_archive.h (+28/-0) src/ds_compress.c (+7/-6) src/ds_encrypt.c (+583/-0) src/ds_encrypt.h (+28/-0) src/ds_stdout.c (+121/-0) src/ds_stdout.h (+28/-0) src/ds_xbstream.c (+88/-144) src/ds_xbstream.h (+3/-3) src/xbcrypt.c (+659/-0) src/xbcrypt.h (+77/-0) src/xbcrypt_common.c (+46/-0) src/xbcrypt_read.c (+180/-0) src/xbcrypt_write.c (+94/-0) src/xbstream.c (+5/-2) src/xbstream.h (+6/-1) src/xbstream_read.c (+2/-2) src/xbstream_write.c (+35/-19) src/xtrabackup.cc (+159/-79) test/inc/xb_local.sh (+50/-0) test/t/bug972169.sh (+1/-1) test/t/ib_stream_compress.sh (+1/-1) test/t/ib_stream_compress_encrypt.sh (+18/-0) test/t/ib_stream_encrypt.sh (+11/-0) test/t/ib_stream_parallel_encrypt.sh (+12/-0) test/t/xb_basic.sh (+5/-32) test/t/xb_compress.sh (+14/-0) test/t/xb_compress_encrypt.sh (+26/-0) test/t/xb_encrypt.sh (+18/-0) test/t/xb_parallel_compress.sh (+14/-0) test/t/xb_parallel_compress_encrypt.sh (+25/-0) test/t/xb_parallel_encrypt.sh (+17/-0) utils/build-binary.sh (+3/-1) utils/build.sh (+2/-0) utils/debian-dummy-rules.patch (+1/-0) utils/debian/percona-xtrabackup.install (+1/-0) utils/debian/rules (+1/-1) utils/xtrabackup.spec (+3/-1) |
To merge this branch: | bzr merge lp://staging/~gl-az/percona-xtrabackup/BT-23557-2.1-encrypted_stream |
Related bugs: | |
Related blueprints: |
Add ability to encrypt backup stream
(Essential)
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Alexey Kopytov (community) | Approve | ||
Sergei Glushchenko | g2 | Pending | |
Review via email:
|
This proposal supersedes a proposal from 2013-02-27.
Description of the change
Introducing xtrabackup with encryption.
Encryption will be done through the libgcrypt library which can be found documented here: http://
Addition of libgcrypt requires now that libgcrypt and libgpgerror packages be installed.
Many package repositories still contain older versions of libgcrypt. The current stable version of 1.5.0 is reccomended and will take advantage of the AES-NI instruction set if available.
Similar to compression, encryption is not supported on streamed tar backups.
New options:
--encrypt=
--encrypt_
--encrypt_
--encrypt_
--encrypt_
--compress_
encrypt_key and encrypt_key_file are mutually exclusive. If --encrypt is specified, one of these MUST be specified else an error will occur.
encryption key lengths must be precise:
AES128=128 bits or 16 bytes
AES192=192 bits or 24 bytes
AES256=256 bits or 32 bytes
When using the encrypt_key_file option, the file specified may have binary or textual content but must be _exactly_ the correct size for the algorithm being used. If using text, caution must be taken so that there are no extra spaces, tabs, carriage returns or line feeds within the file. These will cause the key to be read as an incorrect size and an error will be generated.
The coding task was fairly straight forward with some restructure/
- Update/set copyright notice in new and touched files to Copyright (c) 2009-2013 Percona Ireland Ltd.
- Implemented new ds_stdout data sink.
- Split the ds_stream data sink into two new, more specific data sinks, ds_archive and ds_xbstream.
- Implement write callback model for ds_xbstream similar to libarchive.
- Change ds_archive and ds_xbstream over to using callback write models.
- Add new option to compression --compress_
- Implement xbcrypt format reader/writer. Format encapsulated as follows:
8 bytes - magic string "XBCRYP01"
8 bytes - reserved
8 bytes - original size
8 bytes - encrypted size
4 bytes - checksum
'encrypted size' bytes - encrypted data
- Implement a new ds_encrypt datasync modeled after the existing compression datasync which will use libgcrypt for actual encryption task and write callbacks.
- Add new options, options validations and pass through innobackupex.
- Implement new utility xbcrypt modeled after xbstream to perform encryption outside of xtrabackup for metadata and to offer a means of decrypting an encrypted backup.
- Implement new tests and refactor test script structure a little to make adding new, similar test cases a little easier.
http:// jenkins. percona. com/view/ XtraBackup/ job/percona- xtrabackup- 2.1-param/ 122/