This is a read-only copy of the MariaDB Knowledgebase generated on 2025-05-02. For the latest, interactive version please visit https://mariadb.com/kb/.

Created: 1 week, 2 days ago
Modified: 1 week, 2 days ago
Type: question
Status: active
License: CC BY-SA / Gnu FDL

Attachments

No attachments exist

Does MariaDB TDE Automatically Encrypt mariabackup Files?

I have a MariaDB server with TDE (Transparent Data Encryption) configured using:

ini

file_key_management_filename = /etc/mysql/encryption/keyfile.enc file_key_management_filekey = FILE:/etc/mysql/encryption/keyfile.key

Our goal is to ensure backup files are encrypted without introducing additional keys (e.g., SSL/PGP) due to security team restrictions.

Backups stay on the same VM, with VMware handling secure storage-level backups.

We run: sh

mariabackup --backup --target-dir=/mariadb/backup_encrypted mariabackup --prepare --target-dir=/mariadb/backup_encrypted

The backup files (e.g., .ibd, .xbcrypt) appear to inherit TDE encryption, as they’re unreadable without the TDE key.

Questions

1. Is this assumption correct, or does mariabackup create unencrypted copies during backup/prepare?

2. Are there hidden risks (e.g., temporary unencrypted files) we’re overlooking?

3. For compliance, should we still force encryption via --encrypt-backup despite TDE?

Thanks for your insights!

↑ Backing Up and Restoring Databases ↑

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.

Does MariaDB TDE Automatically Encrypt mariabackup Files?

Products

Solutions

Resources

Company

Pricing

Download MariaDB