br: add doc for log backup encryption #18650
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ti-chi-bot
bot
added
the
first-time-contributor
|
|
ti-chi-bot
bot
added
missing-translation-status
Oreoxmt
added
do-not-merge/hold
ti-chi-bot
bot
removed
the
missing-translation-status
ti-chi-bot
bot
added
size/M
qiancai
added
translation/from-docs
qiancai
reviewed
Sep 24, 2024
br/br-pitr-manual.md
Outdated
| @@ -87,6 +87,64 @@ tiup br log start --task-name=pitr --pd="${PD_IP}:2379" \ | |||
| --storage='s3://backup-101/logbackup?access-key=${access-key}&secret-access-key=${secret-access-key}"' | |||
| ``` | |||
|
|
|||
| ### 日志数据备份加密 | |||
There was a problem hiding this comment.
Suggested change
| ### 日志数据备份加密 | |
| ### 加密日志备份数据 |
BornChanger
approved these changes
Sep 24, 2024
|
@BornChanger: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
qiancai
reviewed
Sep 26, 2024
br/br-pitr-manual.md
Outdated
|
|
||
| > **警告:** | ||
| > | ||
| > 当前该功能为实验特性,不建议在生产环境中使用。 |
There was a problem hiding this comment.
Suggested change
| > 当前该功能为实验特性,不建议在生产环境中使用。 | |
| > 当前该功能为实验特性,不建议在生产环境中使用。该功能可能会在未事先通知的情况下发生变化或删除。如果发现 bug,请在 GitHub 上提 [issue](https://github.com/pingcap/tidb/issues) 反馈。 |
br/br-pitr-manual.md
Outdated
|
|
||
| BR 支持在上传到备份存储之前对日志备份数据进行加密。 | ||
|
|
||
| 自 TiDB v8.4.0 起,你可以通过直接传入数据密钥配置参数来加密日志备份数据,类似于快照备份加密: |
There was a problem hiding this comment.
Suggested change
| 自 TiDB v8.4.0 起,你可以通过直接传入数据密钥配置参数来加密日志备份数据,类似于快照备份加密: | |
| 自 TiDB v8.4.0 起,你可以在日志备份命令中传入以下参数来加密日志备份数据,类似于[快照备份加密](/br/br-snapshot-manual.md#备份数据加密): |
br/br-pitr-manual.md
Outdated
Comment on lines
117
to
118
| --master-key-crypter-method:用于加密日志备份文件的加密算法,可以是 aes128-ctr、aes192-ctr 或 aes256-ctr。默认值为 plaintext。 | ||
| --master-key:主密钥配置。可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥。 |
There was a problem hiding this comment.
Suggested change
| --master-key-crypter-method:用于加密日志备份文件的加密算法,可以是 aes128-ctr、aes192-ctr 或 aes256-ctr。默认值为 plaintext。 | |
| --master-key:主密钥配置。可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥。 | |
| `--master-key-crypter-method`:基于主密钥的加密算法,支持 `aes128-ctr`、`aes192-ctr` 和 `aes256-ctr` 三种算法,缺省值为 `plaintext`,表示不加密 | |
| `--master-key`:主密钥配置,可以是基于本地磁盘的主密钥或基于云 KMS 的主密钥 |
br/br-pitr-manual.md
Outdated
|
|
||
| > **警告:** | ||
| > | ||
| > 当前该功能为实验特性,不建议在生产环境中使用。 |
There was a problem hiding this comment.
Suggested change
| > 当前该功能为实验特性,不建议在生产环境中使用。 | |
| > 当前该功能为实验特性,不建议在生产环境中使用。该功能可能会在未事先通知的情况下发生变化或删除。如果发现 bug,请在 GitHub 上提 [issue](https://github.com/pingcap/tidb/issues) 反馈。 |
br/br-pitr-manual.md
Outdated
| --log.crypter.key 0123456789abcdef0123456789abcdef | ||
| ``` | ||
|
|
||
| 然而,在更严格的加密场景中,你可能不希望在命令行中传入固定的加密密钥。相反,你可以使用基于主密钥的加密系统来管理加密密钥。基于主密钥的加密使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 |
There was a problem hiding this comment.
Suggested change
| 然而,在更严格的加密场景中,你可能不希望在命令行中传入固定的加密密钥。相反,你可以使用基于主密钥的加密系统来管理加密密钥。基于主密钥的加密使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 | |
| 然而,在一些对安全性要求更高的场景中,你可能不希望在命令行中直接传入固定的加密密钥。为了进一步提高安全性,你可以使用基于主密钥的加密系统来管理加密密钥。该系统会使用不同的数据密钥来加密不同的日志备份文件,并且支持主密钥轮换。 |
br/br-pitr-manual.md
Outdated
| --log.crypter.key 0123456789abcdef0123456789abcdef | ||
| ``` | ||
|
|
||
| 如果你使用主密钥加密进行日志备份,则可以使用以下命令: |
There was a problem hiding this comment.
Suggested change
| 如果你使用主密钥加密进行日志备份,则可以使用以下命令: | |
| 如果日志备份是通过主密钥加密的,则可以使用以下命令进行解密恢复: |
qiancai
reviewed
Sep 26, 2024
br/br-pitr-manual.md
Outdated
| > | ||
| > 当前该功能为实验特性,不建议在生产环境中使用。 | ||
|
|
||
| 在对数据进行加密备份后,恢复操作需要传入相应的解密参数。如果解密算法或密钥不正确,则无法恢复数据。解密参数需要与加密时使用的参数一致。解密恢复的示例如下: |
There was a problem hiding this comment.
Suggested change
| 在对数据进行加密备份后,恢复操作需要传入相应的解密参数。如果解密算法或密钥不正确,则无法恢复数据。解密参数需要与加密时使用的参数一致。解密恢复的示例如下: | |
| 要恢复加密的日志备份数据,你需要在恢复命令中传入相应的解密参数。解密参数需要与加密时使用的参数一致。如果解密算法或密钥不正确,则无法恢复数据。 | |
| 示例如下: |
qiancai
reviewed
Sep 26, 2024
br/br-pitr-manual.md
Outdated
| - `--log.crypter.key`:加密密钥,十六进制字符串格式,`aes128-ctr` 对应 128 位(16 字节)密钥长度,`aes192-ctr` 为 24 字节,`aes256-ctr` 为 32 字节 | ||
| - `--log.crypter.key-file`:密钥文件,可直接将存放密钥的文件路径作为参数传入,此时 `log.crypter.key` 不需要配置 | ||
|
|
||
| 备份加密的示例如下: |
There was a problem hiding this comment.
Suggested change
| 备份加密的示例如下: | |
| 示例如下: |
ti-chi-bot
bot
added
size/L
|
@qiancai thanks for the suggestions! I have applied them locally and pushed. It's weird when I click the commit suggestion button on the GitHub UI it will fail with email not correct error... |
|
/retest |
qiancai
reviewed
Sep 27, 2024
Tristan1900
force-pushed
the
add-local-encryption-doc
branch
from
7cde23f
to
9cc6f49
Compare
qiancai
reviewed
Sep 27, 2024
qiancai
reviewed
Sep 27, 2024
qiancai
approved these changes
Sep 27, 2024
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
Co-authored-by: Aolin <[email protected]>
Co-authored-by: Aolin <[email protected]>
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiancai The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
qiancai
removed
the
do-not-merge/hold
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First-time contributors' checklist
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions (in Chinese).
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?