This blog is not intended to offer anything extraordinary; instead, consider it an anecdote, a lesson, or simply a proper way of doing things without the need to run a test when in doubt.
That said, I must emphasize that, as always, testing everything before deploying to production is essential.
Let’s dive into the story: while I was working on a specific task, a colleague sent me a message asking the following:
Hey Fernando!
If an xb is encrypted + compressed, what should be done first? Decompress or decrypt?
Remember, I was focused on something else, but in my eagerness to help him reasonably quickly, without testing and trying to use common sense, I responded as follows:
Good question!
Decrypt, then decompress.
That makes sense, right? He first agreed: it made sense. Then, minutes later, everything changed: it seemed that it wasn’t the case. He replied to me:
I checked with another colleague, and the opposite is true: decompress and decrypt.
I said, “OK, sorry for the inaccurate response,” and moved on, worried.
A few days later, I had to execute a change involving rebuilding a replica using a compressed and encrypted backup (how curious, right? I wonder who wrote it, ha).
Anyway, when the moment of truth came, I saw the steps as suggested by that colleague:
- Decompress the backup
- Decrypt the decompressed data
To my surprise, the first operation didn’t do anything at all: it gave only a generic false output like this (ignore the dates and everything else; it’s anecdotal)
1 2 | xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 2024-12-14T11:09:22.611811-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! |
Then I realized that I was the right one, ha! It was the opposite.
- Decrypt the backup
- Decompress the decrypted data
Here’s why it should be done this way: Compress first. Once encrypted, a file becomes a stream of seemingly data that cannot be compressed effectively. Compression relies on identifying patterns within the data, and encryption removes those patterns, rendering compression futile.
The rest of the steps went smoothly (no need to mention them here).
Anyway, just to prove it’s not just words, here’s the proof.
The backup
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --backup --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --datadir=/home/fernando.mattera/sandboxes/msb_8_0_35/data/ --target-dir=/home/fernando.mattera/XtraBackups --compress --encrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key 2024-12-14T11:02:22.085024-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql --datadir=/home/fernando.mattera/sandboxes/msb_8_0_35/data/ 2024-12-14T11:02:22.085402-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --backup=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --compress --encrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 241214 11:02:22 version_check Connecting to MySQL server with DSN 'dbi:mysql:;mysql_read_default_group=xtrabackup;host=127.0.0.1;port=8035;mysql_socket=/tmp/mysql_sandbox8035.sock' as 'root' (using password: YES). 241214 11:02:22 version_check Connected to MySQL server 241214 11:02:22 version_check Executing a version check against the server... 241214 11:02:25 version_check Done. 2024-12-14T11:02:25.218435-00:00 0 [Note] [MY-011825] [Xtrabackup] Connecting to MySQL server host: 127.0.0.1, user: root, password: set, port: 8035, socket: /tmp/mysql_sandbox8035.sock 2024-12-14T11:02:25.276909-00:00 0 [Note] [MY-011825] [Xtrabackup] Using server version 8.0.35-27 2024-12-14T11:02:25.279288-00:00 0 [Note] [MY-011825] [Xtrabackup] Executing LOCK TABLES FOR BACKUP ... 2024-12-14T11:02:25.282586-00:00 0 [Note] [MY-011825] [Xtrabackup] uses posix_fadvise(). 2024-12-14T11:02:27.218834-00:00 0 [Note] [MY-011825] [Xtrabackup] Done: Compressing and encrypting file /home/fernando.mattera/XtraBackups/backup-my.cnf.zst.xbcrypt 2024-12-14T11:02:27.222410-00:00 0 [Note] [MY-011825] [Xtrabackup] Compressing and encrypting /home/fernando.mattera/XtraBackups/xtrabackup_info.zst.xbcrypt ...several lines later... 2024-12-14T11:02:28.229632-00:00 0 [Note] [MY-011825] [Xtrabackup] Transaction log of lsn (28222178) to (28222198) was copied. 2024-12-14T11:02:28.444521-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! |
The backup files
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/ total 1428 -rw-r-----. 1 fernando.mattera percona 380 Dec 14 11:02 backup-my.cnf.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 204 Dec 14 11:02 binlog.000005.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 121 Dec 14 11:02 binlog.index.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 793 Dec 14 11:02 ib_buffer_pool.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 4082 Dec 14 11:02 ibdata1.zst.xbcrypt drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:02 mysql -rw-r-----. 1 fernando.mattera percona 1383901 Dec 14 11:02 mysql.ibd.zst.xbcrypt drwxr-x---. 2 fernando.mattera percona 8192 Dec 14 11:02 performance_schema drwxr-x---. 2 fernando.mattera percona 40 Dec 14 11:02 sys drwxr-x---. 2 fernando.mattera percona 35 Dec 14 11:02 test -rw-r-----. 1 fernando.mattera percona 5940 Dec 14 11:02 undo_001.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 8808 Dec 14 11:02 undo_002.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 123 Dec 14 11:02 xtrabackup_binlog_info.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints -rw-r-----. 1 fernando.mattera percona 509 Dec 14 11:02 xtrabackup_info.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 330 Dec 14 11:02 xtrabackup_logfile.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 144 Dec 14 11:02 xtrabackup_tablespaces.zst.xbcrypt |
The restore, starting with decompress first (which, obviously, failed)
1 2 3 4 5 | [fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original 2024-12-14T11:09:22.509686-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql 2024-12-14T11:09:22.509990-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original=1 xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 2024-12-14T11:09:22.611811-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! |
Why did it fail? Because the files were the same!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/ total 1428 -rw-r-----. 1 fernando.mattera percona 380 Dec 14 11:02 backup-my.cnf.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 204 Dec 14 11:02 binlog.000005.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 121 Dec 14 11:02 binlog.index.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 793 Dec 14 11:02 ib_buffer_pool.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 4082 Dec 14 11:02 ibdata1.zst.xbcrypt drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:02 mysql -rw-r-----. 1 fernando.mattera percona 1383901 Dec 14 11:02 mysql.ibd.zst.xbcrypt drwxr-x---. 2 fernando.mattera percona 8192 Dec 14 11:02 performance_schema drwxr-x---. 2 fernando.mattera percona 40 Dec 14 11:02 sys drwxr-x---. 2 fernando.mattera percona 35 Dec 14 11:02 test -rw-r-----. 1 fernando.mattera percona 5940 Dec 14 11:02 undo_001.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 8808 Dec 14 11:02 undo_002.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 123 Dec 14 11:02 xtrabackup_binlog_info.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints -rw-r-----. 1 fernando.mattera percona 509 Dec 14 11:02 xtrabackup_info.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 330 Dec 14 11:02 xtrabackup_logfile.zst.xbcrypt -rw-r-----. 1 fernando.mattera percona 144 Dec 14 11:02 xtrabackup_tablespaces.zst.xbcrypt |
How did it work? Decrypting and then decompressing.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | [fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original 2024-12-14T11:11:27.686020-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql 2024-12-14T11:11:27.686396-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups --remove-original=1 xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 2024-12-14T11:11:27.687193-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting ./xtrabackup_logfile.zst.xbcrypt 2024-12-14T11:11:27.704967-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_logfile.zst.xbcrypt ...several lines later... 2024-12-14T11:11:29.658611-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting ./xtrabackup_tablespaces.zst.xbcrypt 2024-12-14T11:11:29.675230-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst.xbcrypt 2024-12-14T11:11:29.690206-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! [fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/ total 73144 -rw-r--r--. 1 fernando.mattera percona 447 Dec 14 11:13 backup-my.cnf -rw-r--r--. 1 fernando.mattera percona 288 Dec 14 11:11 backup-my.cnf.zst -rw-r--r--. 1 fernando.mattera percona 157 Dec 14 11:13 binlog.000005 -rw-r--r--. 1 fernando.mattera percona 112 Dec 14 11:11 binlog.000005.zst -rw-r--r--. 1 fernando.mattera percona 16 Dec 14 11:13 binlog.index -rw-r--r--. 1 fernando.mattera percona 29 Dec 14 11:11 binlog.index.zst -rw-r--r--. 1 fernando.mattera percona 3009 Dec 14 11:13 ib_buffer_pool -rw-r--r--. 1 fernando.mattera percona 701 Dec 14 11:11 ib_buffer_pool.zst -rw-r--r--. 1 fernando.mattera percona 12582912 Dec 14 11:13 ibdata1 -rw-r--r--. 1 fernando.mattera percona 3990 Dec 14 11:11 ibdata1.zst drwxr-x---. 2 fernando.mattera percona 4096 Dec 14 11:13 mysql -rw-r--r--. 1 fernando.mattera percona 27262976 Dec 14 11:13 mysql.ibd -rw-r--r--. 1 fernando.mattera percona 1381877 Dec 14 11:11 mysql.ibd.zst drwxr-x---. 2 fernando.mattera percona 12288 Dec 14 11:13 performance_schema drwxr-x---. 2 fernando.mattera percona 54 Dec 14 11:13 sys drwxr-x---. 2 fernando.mattera percona 44 Dec 14 11:13 test -rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:13 undo_001 -rw-r--r--. 1 fernando.mattera percona 5848 Dec 14 11:11 undo_001.zst -rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:13 undo_002 -rw-r--r--. 1 fernando.mattera percona 8716 Dec 14 11:11 undo_002.zst -rw-r--r--. 1 fernando.mattera percona 18 Dec 14 11:13 xtrabackup_binlog_info -rw-r--r--. 1 fernando.mattera percona 31 Dec 14 11:11 xtrabackup_binlog_info.zst -rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:02 xtrabackup_checkpoints -rw-r--r--. 1 fernando.mattera percona 684 Dec 14 11:13 xtrabackup_info -rw-r--r--. 1 fernando.mattera percona 417 Dec 14 11:11 xtrabackup_info.zst -rw-r--r--. 1 fernando.mattera percona 2560 Dec 14 11:13 xtrabackup_logfile -rw-r--r--. 1 fernando.mattera percona 238 Dec 14 11:11 xtrabackup_logfile.zst -rw-r--r--. 1 fernando.mattera percona 39 Dec 14 11:13 xtrabackup_tablespaces -rw-r--r--. 1 fernando.mattera percona 52 Dec 14 11:11 xtrabackup_tablespaces.zst [fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original 2024-12-14T11:13:41.759924-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql 2024-12-14T11:13:41.760136-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original=1 xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 2024-12-14T11:13:41.761020-00:00 0 [Note] [MY-011825] [Xtrabackup] decompressing ./sys/sys_config.ibd.zst 2024-12-14T11:13:41.774379-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./sys/sys_config.ibd.zst ...several lines later... 2024-12-14T11:13:43.409183-00:00 0 [Note] [MY-011825] [Xtrabackup] decompressing ./xtrabackup_tablespaces.zst 2024-12-14T11:13:43.415723-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst 2024-12-14T11:13:43.464392-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! |
Easter egg: you can do both things at the same time!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [fernando.mattera@ms-highram-test01|dev ~]$ xtrabackup --user=root --password=root --decompress --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original 2024-12-14T11:53:58.354060-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized server arguments: --datadir=/var/lib/mysql 2024-12-14T11:53:58.354306-00:00 0 [Note] [MY-011825] [Xtrabackup] recognized client arguments: --user=msandbox --password=* --user=root --password=* --decompress=1 --decrypt=AES256 --encrypt-key-file=/home/fernando.mattera/mysql_backup_key --host=127.0.0.1 --port=8035 --socket=/tmp/mysql_sandbox8035.sock --target-dir=/home/fernando.mattera/XtraBackups/ --remove-original=1 xtrabackup version 8.0.35-31 based on MySQL server 8.0.35 Linux (x86_64) (revision id: 55ec21d7) 2024-12-14T11:53:58.355213-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting and decompressing ./xtrabackup_logfile.zst.xbcrypt 2024-12-14T11:53:58.373986-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_logfile.zst.xbcrypt 2024-12-14T11:53:58.374142-00:00 0 [Note] [MY-011825] [Xtrabackup] decrypting and decompressing ./ibdata1.zst.xbcrypt ...several lines later... 2024-12-14T11:54:00.785939-00:00 0 [Note] [MY-011825] [Xtrabackup] removing ./xtrabackup_tablespaces.zst.xbcrypt 2024-12-14T11:54:00.859598-00:00 0 [Note] [MY-011825] [Xtrabackup] completed OK! [fernando.mattera@ms-highram-test01|dev ~]$ ls -l /home/fernando.mattera/XtraBackups/ total 71732 -rw-r--r--. 1 fernando.mattera percona 447 Dec 14 11:54 backup-my.cnf -rw-r--r--. 1 fernando.mattera percona 157 Dec 14 11:54 binlog.000007 -rw-r--r--. 1 fernando.mattera percona 16 Dec 14 11:54 binlog.index -rw-r--r--. 1 fernando.mattera percona 3009 Dec 14 11:54 ib_buffer_pool -rw-r--r--. 1 fernando.mattera percona 12582912 Dec 14 11:53 ibdata1 drwxr-x---. 2 fernando.mattera percona 143 Dec 14 11:53 mysql -rw-r--r--. 1 fernando.mattera percona 27262976 Dec 14 11:53 mysql.ibd drwxr-x---. 2 fernando.mattera percona 12288 Dec 14 11:54 performance_schema drwxr-x---. 2 fernando.mattera percona 28 Dec 14 11:53 sys drwxr-x---. 2 fernando.mattera percona 23 Dec 14 11:53 test -rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:53 undo_001 -rw-r--r--. 1 fernando.mattera percona 16777216 Dec 14 11:53 undo_002 -rw-r--r--. 1 fernando.mattera percona 18 Dec 14 11:54 xtrabackup_binlog_info -rw-r-----. 1 fernando.mattera percona 134 Dec 14 11:44 xtrabackup_checkpoints -rw-r--r--. 1 fernando.mattera percona 684 Dec 14 11:54 xtrabackup_info -rw-r--r--. 1 fernando.mattera percona 2560 Dec 14 11:53 xtrabackup_logfile -rw-r--r--. 1 fernando.mattera percona 39 Dec 14 11:54 xtrabackup_tablespaces |
Conclusion
Compression is based on recognizing data patterns within files. When you encrypt, you remove those patterns, which makes compressing after encryption practically pointless. Compress first, then encrypt.
Test everything as much as possible. If time constraints prevent this, rely on common sense; above all, testing provides the foundation for everything to proceed smoothly.
With Percona XtraBackup, you can ensure your applications remain fully available and guarantee the consistency and safety of your data files.
Thanks for the information, Fernando.
My pleasure, Doug.