Purpose
Before data backup, if the original tenant has transparent encryption enabled, the ALTER SYSTEM BACKUP KEY statement must be used to back up the key for the source tenant.
Limitations and considerations
After the key is backed up, if the source tenant has triggered a key rotation before data restoration, the source tenant's key needs to be backed up again.
Privilege requirements
It must be executed by the root user of the sys tenant (root@sys) or each tenant's administrator user. Specifically:
- The default administrator user in MySQL mode is the
rootuser. - The default administrator user in Oracle mode is the
SYSuser.
Syntax
ALTER SYSTEM BACKUP KEY [TENANT [=] {tenant_name[, tenant_name]...}] TO 'backup_key_path' [ENCRYPTED BY 'password'];
Parameters
| Parameter | Description |
|---|---|
| tenant_name | Specifies the tenant for which the key needs to be backed up. You can specify multiple tenants, separated by commas (,). If the system tenant is not specified, it means to back up the keys of all user tenants in the cluster.
NoticeOnly the system tenant can specify the tenant to be operated on using the |
| backup_key_path | Specifies the path where the key is to be backed up. This path is user-defined and must not be the same as the data backup or log archiving path. |
| password | Specifies the encryption password for the key backup path. If not specified, the default is to not encrypt the backup path. |
Examples
System tenant backs up the key
System tenant backs up the key of the
mysql_tenanttenant to thefile:///data_backup_dest/keypath and sets an encryption password.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TENANT = mysql_tenant TO 'file:///data_backup_dest/key' ENCRYPTED BY '******';The
mysql_tenanttenant backs up its own key to thefile:///data_backup_dest/keypath.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TO 'file:///data_backup_dest/key';