-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
br: add doc for log backup encryption #18650
br: add doc for log backup encryption #18650
Conversation
br/br-pitr-manual.md
Outdated
@@ -87,6 +87,64 @@ tiup br log start --task-name=pitr --pd="${PD_IP}:2379" \ | |||
--storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}"' | |||
``` | |||
|
|||
### 日志数据备份加密 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### 日志数据备份加密 | |
### 加密日志备份数据 |
@BornChanger: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
br/br-pitr-manual.md
Outdated
|
||
> **警告:** | ||
> | ||
> 当前该功能为实验特性,不建议在生产环境中使用。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> 当前该功能为实验特性,不建议在生产环境中使用。 | |
> 当前该功能为实验特性,不建议在生产环境中使用。该功能可能会在未事先通知的情况下发生变化或删除。如果发现 bug,请在 GitHub 上提 [issue](https://github.com/pingcap/tidb/issues) 反馈。 |
br/br-pitr-manual.md
Outdated
|
||
BR 支持在上传到备份存储之前对日志备份数据进行加密。 | ||
|
||
自 TiDB v8.4.0 起,你可以通过直接传入数据密钥配置参数来加密日志备份数据,类似于快照备份加密: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
自 TiDB v8.4.0 起,你可以通过直接传入数据密钥配置参数来加密日志备份数据,类似于快照备份加密: | |
自 TiDB v8.4.0 起,你可以在日志备份命令中传入以下参数来加密日志备份数据,类似于[快照备份加密](/br/br-snapshot-manual.md#备份数据加密): |
br/br-pitr-manual.md
Outdated
--master-key-crypter-method:用于加密日志备份文件的加密算法,可以是 aes128-ctr、aes192-ctr 或 aes256-ctr。默认值为 plaintext。 | ||
--master-key:主密钥配置。可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--master-key-crypter-method:用于加密日志备份文件的加密算法,可以是 aes128-ctr、aes192-ctr 或 aes256-ctr。默认值为 plaintext。 | |
--master-key:主密钥配置。可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥。 | |
`--master-key-crypter-method`:基于主密钥的加密算法,支持 `aes128-ctr`、`aes192-ctr` 和 `aes256-ctr` 三种算法,缺省值为 `plaintext`,表示不加密 | |
`--master-key`:主密钥配置,可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥 |
br/br-pitr-manual.md
Outdated
|
||
> **警告:** | ||
> | ||
> 当前该功能为实验特性,不建议在生产环境中使用。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> 当前该功能为实验特性,不建议在生产环境中使用。 | |
> 当前该功能为实验特性,不建议在生产环境中使用。该功能可能会在未事先通知的情况下发生变化或删除。如果发现 bug,请在 GitHub 上提 [issue](https://github.com/pingcap/tidb/issues) 反馈。 |
br/br-pitr-manual.md
Outdated
--log.crypter.key 0123456789abcdef0123456789abcdef | ||
``` | ||
|
||
然而,在更严格的加密场景中,你可能不希望在命令行中传入固定的加密密钥。相反,你可以使用基于主密钥的加密系统来管理加密密钥。基于主密钥的加密使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
然而,在更严格的加密场景中,你可能不希望在命令行中传入固定的加密密钥。相反,你可以使用基于主密钥的加密系统来管理加密密钥。基于主密钥的加密使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 | |
然而,在一些对安全性要求更高的场景中,你可能不希望在命令行中直接传入固定的加密密钥。为了进一步提高安全性,你可以使用基于主密钥的加密系统来管理加密密钥。该系统会使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 |
br/br-pitr-manual.md
Outdated
--log.crypter.key 0123456789abcdef0123456789abcdef | ||
``` | ||
|
||
如果你使用主密钥加密进行日志备份,则可以使用以下命令: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
如果你使用主密钥加密进行日志备份,则可以使用以下命令: | |
如果日志备份是通过主密钥加密的,则可以使用以下命令进行解密恢复: |
br/br-pitr-manual.md
Outdated
> | ||
> 当前该功能为实验特性,不建议在生产环境中使用。 | ||
|
||
在对数据进行加密备份后,恢复操作需要传入相应的解密参数。如果解密算法或密钥不正确,则无法恢复数据。解密参数需要与加密时使用的参数一致。解密恢复的示例如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
在对数据进行加密备份后,恢复操作需要传入相应的解密参数。如果解密算法或密钥不正确,则无法恢复数据。解密参数需要与加密时使用的参数一致。解密恢复的示例如下: | |
要恢复加密的日志备份数据,你需要在恢复命令中传入相应的解密参数。解密参数需要与加密时使用的参数一致。如果解密算法或密钥不正确,则无法恢复数据。 | |
示例如下: |
br/br-pitr-manual.md
Outdated
- `--log.crypter.key`:加密密钥,十六进制字符串格式,`aes128-ctr` 对应 128 位(16 字节)密钥长度,`aes192-ctr` 为 24 字节,`aes256-ctr` 为 32 字节 | ||
- `--log.crypter.key-file`:密钥文件,可直接将存放密钥的文件路径作为参数传入,此时 `log.crypter.key` 不需要配置 | ||
|
||
备份加密的示例如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
备份加密的示例如下: | |
示例如下: |
@qiancai thanks for the suggestions! I have applied them locally and pushed. It's weird when I click the commit suggestion button on the GitHub UI it will fail with email not correct error... |
/retest |
7cde23f
to
9cc6f49
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rest LGTM
Co-authored-by: Aolin <[email protected]>
Co-authored-by: Aolin <[email protected]>
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiancai The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
First-time contributors' checklist
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions (in Chinese).
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?