Purpose
Before data backup, if the source tenant is enabled for transparent encryption, the ALTER SYSTEM BACKUP KEY statement is used to back up the encryption key for the source tenant.
Limitations and considerations
After backing up the key, if the source tenant has triggered a key rotation before data recovery, the key must be backed up again.
Privilege requirements
This statement must be executed by the root user of the sys tenant (root@sys) or the administrator user of each tenant. The administrator users for the different modes are as follows:
- For MySQL mode, the default administrator is the
rootuser. - For Oracle mode, the default administrator is the
SYSuser.
Syntax
ALTER SYSTEM BACKUP KEY [TENANT [=] {tenant_name[, tenant_name]...}] TO 'backup_key_path' [ENCRYPTED BY 'password'];
Parameters
| Parameter | Description |
|---|---|
| tenant_name | Specifies the name of the tenant to back up the encryption key. You can specify multiple tenant names, separated by commas (,). If no tenant is specified, the encryption keys of all user tenants in the cluster are backed up.
NoticeOnly the system tenant can use the |
| backup_key_path | Specifies the path where the encryption key is backed up. The path must be user-defined and cannot overlap with the data backup or log archiving path. |
| password | Specifies the encryption password for the key backup path. If this parameter is omitted, no encryption is applied to the backup path. |
Examples
The system tenant back
The system tenant backs up the encryption key of the
mysql_tenanttenant to thefile:///data_backup_dest/keypath and sets an encryption password.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TENANT = mysql_tenant TO 'file:///data_backup_dest/key' ENCRYPTED BY '******';The
mysql_tenanttenant backs up its own encryption key to thefile:///data_backup_dest/keypath.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TO 'file:///data_backup_dest/key';