Securing MySQL Backups: A Guide

Lukas Vileikis

If you’ve ever used MySQL, chances are you probably took backups of your database. If you took backups of your database, chances are you have at least once thought of how you could secure them. In this blog post we are going to tell you how to do exactly that.

Why Should You Secure Your MySQL Backups?

Before we tell you how you should secure your MySQL backups, we should probably tell you why you should secure them in the first place. What do we even mean by “securing” your MySQL backups? MySQL backups should be secure by default, right? Unfortunately, not everything is as simple as it seems. To take and maintain secure MySQL backups, you should consider the following things:

  1. Securely take your MySQL backups

  2. Securely store your MySQL backups

  3. Securely transfer your MySQL backups

Now obviously that’s easier said than done, but we will provide some general advice that can guide you in the right direction.

Securing MySQL Backups

  1. To securely take your MySQL backups by using, for example, mysqldump, consider putting the username and password of your MySQL user inside of my.cnf. You can even create a .my.cnf file in your home directory, store the username and password there, then use the --defaults-extra-file option to tell MySQL to read this file after the global option file:
     

    [mysqldump]
    user=demo_user
    password=demo_password

    This way you no longer need to provide your MySQL password when running mysqldump - by putting your username and password inside of my.cnf you make your password unobservable to anyone else but DBAs.

  2. Consider taking a look into mysqldump-secure: it’s a POSIX compliant wrapper script for mysqldump with encryption capabilities. The tool can back up databases as separate files. Databases can also be blacklisted from being backed up. The tool can also encrypt your MySQL databases and it is also self-validating meaning if anything goes wrong, it will tell you what happened and how to fix it, so if you’re looking for an alternative to mysqldump, definitely consider giving it a try.

  3. Once you’ve taken a backup of your MySQL or MariaDB database instances, consider encrypting it. Chances are data is one of the most precious assets to your organization and by encrypting it you can make sure it’s protected properly. Thankfully, encrypting MySQL backups is not very complex and it can be done in a couple of ways including encrypting the local file and encrypting the backup on-the-fly. To encrypt a local copy of your backup, simply take a backup of the data stored in MySQL, then encrypt it by using, for example, OpenSSL (replace password with the password you want to use):

    $ openssl enc -aes-256-cbc -salt -in backup.tar.gz -out backup.tar.gz.enc -k password

    Your backup can be decrypted by running:

    $ openssl aes-256-cbc -d -in backup.tar.gz.enc -out backup.tar.gz -k password


    You can also consider encrypting your backups on-the-fly. To do that, in general you would need to implement encryption when the backup is being generated (i.e generate the backup, compress it and encrypt it). Here’s how to do that for MySQL using mysqldump (your backup would be called encrypted_backup.xb.enc):

    mysqldump --all-databases --single-transaction --triggers --routines | gzip | openssl  enc -aes-256-cbc -k password > encrypted_backup.xb.enc

    You can also encrypt your backups using ClusterControl: simply check the boxes “Use Compression” and (or) “Enable Encryption” in the last stage of the backup and you’re done. Yes, it’s as easy as that!
     

You might also want to take a look into a shell script called mysql_secure_installation (or mariadb_secure_installation if you’re using MariaDB). The script enables you to:

  • Set a password for MySQL’s root accounts.

  • Remove root accounts that are accessible from outside the localhost.

  • Remove any anonymous user accounts and the test database which can be accessed by anonymous users.

If you are deploying MySQL or MariaDB using ClusterControl, something that you can do freely with the Community Edition, the deployment process automatically takes care of these security measures.

Summary

When it comes to securing your MySQL backups, the list of the things you can do is pretty long. We hope that this blog post has given you some ideas on what you can do to secure your MySQL or MariaDB backups: in general, backups can be secured by making your password unobservable when mysqldump is invoked, also when encrypting your backups locally or on-the-fly.

ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.