Purpose
If transparent encryption is configured for the source tenant before data backup, you must use the ALTER SYSTEM BACKUP KEY statement to back up the key for the source tenant.
Limitations and considerations
If key rotation is triggered for the source tenant after you back up the key, you must back up the key of the source tenant again before you restore the data.
Required privileges
You must execute this statement as the root user of the sys tenant (namely root@sys) or as the administrator of a user tenant.
- The default administrator is the
rootuser in MySQL mode. - The default administrator is the
SYSuser in Oracle mode.
Syntax
ALTER SYSTEM BACKUP KEY [TENANT [=] {tenant_name[, tenant_name]...}] TO 'backup_key_path' [ENCRYPTED BY 'password'];
Parameters
| Parameter | Description |
|---|---|
| tenant_name | The name of the tenant for which the key is to be backed up from the sys tenant. You can specify multiple tenant names separated with commas (,). If you do not specify this parameter, keys of all user tenants in the current cluster are backed up.
NoticeYou must use the |
| backup_key_path | The path where the key is to be backed up. This path is user-defined and cannot be the same as the data backup path or log archive path. |
| password | The encryption password for the key backup path. By default, if you do not specify this parameter, the key backup path will not be encrypted. |
Examples
Execute the following statement in the sys tenant to back up the key of the
mysql_tenanttenant to thefile:///data_backup_dest/keypath, and set an encryption password for the key backup path.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TENANT = mysql_tenant TO 'file:///data_backup_dest/key' ENCRYPTED BY '******';Execute the following statement in the
mysql_tenanttenant to back up the key of the current tenant to thefile:///data_backup_dest/keypath.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TO 'file:///data_backup_dest/key';