Purpose
Before data backup, if transparent data encryption (TDE) is enabled for the original tenant, use the ALTER SYSTEM BACKUP KEY statement to back up the keys of the source tenant.
Limitations and considerations
After backing up the key, if the source tenant triggers a key rotation before you restore the data, you must back up the key again.
Privilege requirements
The procedure must be executed by the root user of the sys tenant (root@sys) or an administrator of each tenant.
- The default administrator user for MySQL-compatible mode is the
rootuser. - In Oracle-compatible mode, the default admin user is
SYS.
Syntax
ALTER SYSTEM BACKUP KEY [TENANT [=] {tenant_name[, tenant_name]...}] TO 'backup_key_path' [ENCRYPTED BY 'password'];
Parameters
| Parameter | Description |
|---|---|
| tenant_name | The name of the system tenant for which the secret key is to be backed up. You can specify multiple tenant names and separate them with commas (,). If the system tenant is not specified, the secret keys of all user tenants in the backup cluster will be backed up.
NoticeOnly the system tenant can execute this command with the |
| backup_key_path | The path where the key is to be backed up. This path is user-defined and must not be the same as the path for database backups or log archiving. |
| password | The encryption password for the key backup path. By default, the backup path is not encrypted. |
Examples
The
DELETE_SCHEMA_STATSprocedure of the sys tenantIn the sys tenant, run the
DELETE_SCHEMA_STATSprocedure for tenantmysql_tenantto backup keys to thefile:///data_backup_dest/keydirectory, and specify an encryption password.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TENANT = mysql_tenant TO 'file:///data_backup_dest/key' ENCRYPTED BY '******';The
mysql_tenanttenant backs up the tenant key to thefile:///data_backup_dest/keypath.obclient [oceanbase]> ALTER SYSTEM BACKUP KEY TO 'file:///data_backup_dest/key';