Mariabackup: Remove support for .xbcrypt files

cede2b6f · Marko Mäkelä · 7e22050e · cede2b6f · cede2b6f · 7e22050e
Commit cede2b6f authored May 26, 2017 by Marko Mäkelä
16 changed files
--- a/extra/mariabackup/backup_copy.cc
+++ b/extra/mariabackup/backup_copy.cc
@@ -1774,7 +1774,7 @@ copy_back()
 		const char *ext_list[] = {"backup-my.cnf", "xtrabackup_logfile",
 			"xtrabackup_binary", "xtrabackup_binlog_info",
 			"xtrabackup_checkpoints", ".qp", ".pmap", ".tmp",
-			".xbcrypt", NULL};
+			NULL};
 		const char *filename;
 		char c_tmp;
 		int i_tmp;
@@ -1807,7 +1807,7 @@ copy_back()
 		filename = base_name(node.filepath);
-		/* skip .qp and .xbcrypt files */
+		/* skip .qp files */
 		if (filename_matches(filename, ext_list)) {
 			continue;
 		}
@@ -1899,24 +1899,8 @@ decrypt_decompress_file(const char *filepath, uint thread_n)
 	cmd << IF_WIN("type ","cat ") << filepath;
- 	if (ends_with(filepath, ".xbcrypt") && opt_decrypt) {
- 		cmd << " | xbcrypt --decrypt --encrypt-algo="
- 		    << xtrabackup_encrypt_algo_names[opt_decrypt_algo];
- 		if (xtrabackup_encrypt_key) {
- 			cmd << " --encrypt-key=" << xtrabackup_encrypt_key;
- 		} else {
- 			cmd << " --encrypt-key-file="
- 			    << xtrabackup_encrypt_key_file;
- 		}
- 		dest_filepath[strlen(dest_filepath) - 8] = 0;
- 		message << "decrypting";
- 		needs_action = true;
- 	}
 	if (opt_decompress
- 	    && (ends_with(filepath, ".qp")
+ 	    && ends_with(filepath, ".qp")) {
-		|| (ends_with(filepath, ".qp.xbcrypt")
-		    && opt_decrypt))) {
 		cmd << " | qpress -dio ";
 		dest_filepath[strlen(dest_filepath) - 3] = 0;
 		if (needs_action) {
@@ -1967,8 +1951,7 @@ decrypt_decompress_thread_func(void *arg)
 			continue;
 		}
-		if (!ends_with(node.filepath, ".qp")
+		if (!ends_with(node.filepath, ".qp")) {
-		    && !ends_with(node.filepath, ".xbcrypt")) {
 			continue;
 		}

--- a/extra/mariabackup/backup_mysql.cc
+++ b/extra/mariabackup/backup_mysql.cc
@@ -1435,8 +1435,7 @@ write_xtrabackup_info(MYSQL *connection)
 		"partial = %s\n"
 		"incremental = %s\n"
 		"format = %s\n"
-		"compressed = %s\n"
+		"compressed = %s\n",
-		"encrypted = %s\n",
 		uuid, /* uuid */
 		opt_history ? opt_history : "",  /* name */
 		tool_name,  /* tool_name */
@@ -1454,8 +1453,7 @@ write_xtrabackup_info(MYSQL *connection)
 		is_partial? "Y" : "N",
 		xtrabackup_incremental ? "Y" : "N", /* incremental */
 		xb_stream_name[xtrabackup_stream_fmt], /* format */
-		xtrabackup_compress ? "compressed" : "N", /* compressed */
+		xtrabackup_compress ? "compressed" : "N"); /* compressed */
-		xtrabackup_encrypt ? "Y" : "N"); /* encrypted */
 	if (!opt_history) {
 		goto cleanup;
@@ -1481,8 +1479,7 @@ write_xtrabackup_info(MYSQL *connection)
 		"partial ENUM('Y', 'N') DEFAULT NULL,"
 		"incremental ENUM('Y', 'N') DEFAULT NULL,"
 		"format ENUM('file', 'tar', 'xbstream') DEFAULT NULL,"
-		"compressed ENUM('Y', 'N') DEFAULT NULL,"
+		"compressed ENUM('Y', 'N') DEFAULT NULL"
-		"encrypted ENUM('Y', 'N') DEFAULT NULL"
 		") CHARACTER SET utf8 ENGINE=innodb", false);
@@ -1492,8 +1489,8 @@ write_xtrabackup_info(MYSQL *connection)
 		<< "uuid, name, tool_name, tool_command, tool_version,"
 		<< "ibbackup_version, server_version, start_time, end_time,"
 		<< "lock_time, binlog_pos, innodb_from_lsn, innodb_to_lsn,"
-		<< "partial, incremental, format, compressed, "
+		<< "partial, incremental, format, compressed) "
-		<< "encrypted) values("
+		<< "values("
 		<< escape_and_quote(connection, uuid) << ","
 		<< escape_and_quote(connection, opt_history) << ","
 		<< escape_and_quote(connection, tool_name) << ","
@@ -1510,8 +1507,7 @@ write_xtrabackup_info(MYSQL *connection)
 		<< ESCAPE_BOOL(is_partial) << ","
 		<< ESCAPE_BOOL(xtrabackup_incremental)<< ","
 		<< escape_and_quote(connection,xb_stream_name[xtrabackup_stream_fmt]) <<","
-		<< ESCAPE_BOOL(xtrabackup_compress) << ","
+		<< ESCAPE_BOOL(xtrabackup_compress) << ")";
-		<< ESCAPE_BOOL(xtrabackup_encrypt) <<")";
 	xb_mysql_query(mysql_connection, oss.str().c_str(), false);
@@ -1577,14 +1573,6 @@ char *make_argv(char *buf, size_t len, int argc, char **argv)
 		if (strncmp(*argv, "--password", strlen("--password")) == 0) {
 			arg = "--password=...";
 		}
-		if (strncmp(*argv, "--encrypt-key",
-				strlen("--encrypt-key")) == 0) {
-			arg = "--encrypt-key=...";
-		}
-		if (strncmp(*argv, "--encrypt_key",
-				strlen("--encrypt_key")) == 0) {
-			arg = "--encrypt_key=...";
-		}
 		left-= ut_snprintf(buf + len - left, left,
 			"%s%c", arg, argc > 1 ? ' ' : 0);
 		++argv; --argc;

--- a/extra/mariabackup/ds_decrypt.c
+++ b/extra/mariabackup/ds_decrypt.c
--- a/extra/mariabackup/ds_decrypt.h
+++ b/extra/mariabackup/ds_decrypt.h
-/******************************************************
-Copyright (c) 2017 Percona LLC and/or its affiliates.
-Encryption interface for XtraBackup.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#ifndef DS_DECRYPT_H
-#define DS_DECRYPT_H
-#include "datasink.h"
-extern datasink_t	datasink_decrypt;
-extern int		ds_decrypt_encrypt_threads;
-#endif
--- a/extra/mariabackup/ds_encrypt.c
+++ b/extra/mariabackup/ds_encrypt.c
--- a/extra/mariabackup/ds_encrypt.h
+++ b/extra/mariabackup/ds_encrypt.h
-/******************************************************
-Copyright (c) 2013 Percona LLC and/or its affiliates.
-Encryption interface for XtraBackup.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#ifndef DS_ENCRYPT_H
-#define DS_ENCRYPT_H
-#include "datasink.h"
-#ifdef HAVE_GCRYPT
-extern datasink_t datasink_encrypt;
-#endif
-/* Encryption options */
-extern uint		ds_encrypt_encrypt_threads;
-extern ulonglong	ds_encrypt_encrypt_chunk_size;
-#endif
--- a/extra/mariabackup/innobackupex.cc
+++ b/extra/mariabackup/innobackupex.cc
@@ -101,8 +101,6 @@ char *opt_ibx_login_path = NULL;
 ulong opt_ibx_lock_wait_query_type;
 ulong opt_ibx_kill_long_query_type;
-ulong opt_ibx_decrypt_algo = 0;
 uint opt_ibx_kill_long_queries_timeout = 0;
 uint opt_ibx_lock_wait_timeout = 0;
 uint opt_ibx_lock_wait_threshold = 0;
@@ -110,7 +108,6 @@ uint opt_ibx_debug_sleep_before_unlock = 0;
 uint opt_ibx_safe_slave_backup_timeout = 0;
 const char *opt_ibx_history = NULL;
-bool opt_ibx_decrypt = false;
 char *opt_ibx_include = NULL;
 char *opt_ibx_databases = NULL;
@@ -124,11 +121,6 @@ my_bool ibx_xb_close_files;
 const char *ibx_xtrabackup_compress_alg;
 uint ibx_xtrabackup_compress_threads;
 ulonglong ibx_xtrabackup_compress_chunk_size;
-ulong ibx_xtrabackup_encrypt_algo;
-char *ibx_xtrabackup_encrypt_key;
-char *ibx_xtrabackup_encrypt_key_file;
-uint ibx_xtrabackup_encrypt_threads;
-ulonglong ibx_xtrabackup_encrypt_chunk_size;
 my_bool ibx_xtrabackup_export;
 char *ibx_xtrabackup_extra_lsndir;
 char *ibx_xtrabackup_incremental_basedir;
@@ -198,7 +190,6 @@ enum innobackupex_options
 	OPT_NO_VERSION_CHECK,
 	OPT_NO_BACKUP_LOCKS,
 	OPT_DATABASES,
-	OPT_DECRYPT,
 	OPT_DECOMPRESS,
 	/* options wich are passed directly to xtrabackup */
@@ -207,11 +198,6 @@ enum innobackupex_options
 	OPT_COMPRESS,
 	OPT_COMPRESS_THREADS,
 	OPT_COMPRESS_CHUNK_SIZE,
-	OPT_ENCRYPT,
-	OPT_ENCRYPT_KEY,
-	OPT_ENCRYPT_KEY_FILE,
-	OPT_ENCRYPT_THREADS,
-	OPT_ENCRYPT_CHUNK_SIZE,
 	OPT_EXPORT,
 	OPT_EXTRA_LSNDIR,
 	OPT_INCREMENTAL_BASEDIR,
@@ -427,12 +413,6 @@ static struct my_option ibx_long_options[] =
 	 (uchar*) &opt_ibx_incremental_history_uuid, 0, GET_STR,
 	 REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"decrypt", OPT_DECRYPT, "Decrypts all files with the .xbcrypt "
-	 "extension in a backup previously made with --encrypt option.",
-	 &opt_ibx_decrypt_algo, &opt_ibx_decrypt_algo,
-	 &xtrabackup_encrypt_algo_typelib, GET_ENUM, REQUIRED_ARG,
-	 0, 0, 0, 0, 0, 0},
 	{"ftwrl-wait-query-type", OPT_LOCK_WAIT_QUERY_TYPE,
 	 "This option specifies which types of queries are allowed to complete "
 	 "before innobackupex will issue the global lock. Default is all.",
@@ -551,46 +531,6 @@ static struct my_option ibx_long_options[] =
 	 (uchar*) &ibx_xtrabackup_compress_chunk_size,
 	 0, GET_ULL, REQUIRED_ARG, (1 << 16), 1024, ULONGLONG_MAX, 0, 0, 0},
-	{"encrypt", OPT_ENCRYPT, "This option instructs xtrabackup to encrypt "
-	 "backup copies of InnoDB data files using the algorithm specified in "
-	 "the ENCRYPTION-ALGORITHM. It is passed directly to the xtrabackup "
-	 "child process. Try 'xtrabackup --help' for more details.",
-	 &ibx_xtrabackup_encrypt_algo, &ibx_xtrabackup_encrypt_algo,
-	 &xtrabackup_encrypt_algo_typelib, GET_ENUM, REQUIRED_ARG,
-	 0, 0, 0, 0, 0, 0},
-	{"encrypt-key", OPT_ENCRYPT_KEY, "This option instructs xtrabackup to "
-	 "use the given ENCRYPTION-KEY when using the --encrypt or --decrypt "
-	 "options. During backup it is passed directly to the xtrabackup child "
-	 "process. Try 'xtrabackup --help' for more details.",
-	 (uchar*) &ibx_xtrabackup_encrypt_key,
-	 (uchar*) &ibx_xtrabackup_encrypt_key, 0,
-	 GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"encrypt-key-file", OPT_ENCRYPT_KEY_FILE, "This option instructs "
-	 "xtrabackup to use the encryption key stored in the given "
-	 "ENCRYPTION-KEY-FILE when using the --encrypt or --decrypt options.",
-	 (uchar*) &ibx_xtrabackup_encrypt_key_file,
-	 (uchar*) &ibx_xtrabackup_encrypt_key_file, 0,
-	 GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"encrypt-threads", OPT_ENCRYPT_THREADS,
-	 "This option specifies the number of worker threads that will be used "
-	 "for parallel encryption. It is passed directly to the xtrabackup "
-	 "child process. Try 'xtrabackup --help' for more details.",
-	 (uchar*) &ibx_xtrabackup_encrypt_threads,
-	 (uchar*) &ibx_xtrabackup_encrypt_threads,
-	 0, GET_UINT, REQUIRED_ARG, 1, 1, UINT_MAX, 0, 0, 0},
-	{"encrypt-chunk-size", OPT_ENCRYPT_CHUNK_SIZE,
-	 "This option specifies the size of the internal working buffer for "
-	 "each encryption thread, measured in bytes. It is passed directly to "
-	 "the xtrabackup child process. Try 'xtrabackup --help' for more "
-	 "details.",
-	 (uchar*) &ibx_xtrabackup_encrypt_chunk_size,
-	 (uchar*) &ibx_xtrabackup_encrypt_chunk_size,
-	 0, GET_ULL, REQUIRED_ARG, (1 << 16), 1024, ULONGLONG_MAX, 0, 0, 0},
 	{"export", OPT_EXPORT, "This option is passed directly to xtrabackup's "
 	 "--export option. It enables exporting individual tables for import "
 	 "into another server. See the xtrabackup documentation for details.",
@@ -726,8 +666,6 @@ You can download full text of the license on http://www.gnu.org/licenses/gpl-2.0
 SYNOPOSIS\n\
 \n\
 innobackupex [--compress] [--compress-threads=NUMBER-OF-THREADS] [--compress-chunk-size=CHUNK-SIZE]\n\
-             [--encrypt=ENCRYPTION-ALGORITHM] [--encrypt-threads=NUMBER-OF-THREADS] [--encrypt-chunk-size=CHUNK-SIZE]\n\
-             [--encrypt-key=LITERAL-ENCRYPTION-KEY] | [--encryption-key-file=MY.KEY]\n\
             [--include=REGEXP] [--user=NAME]\n\
             [--password=WORD] [--port=PORT] [--socket=SOCKET]\n\
             [--no-timestamp] [--ibbackup=IBBACKUP-BINARY]\n\
@@ -751,8 +689,7 @@ innobackupex --copy-back [--defaults-file=MY.CNF] [--defaults-group=GROUP-NAME]
 \n\
 innobackupex --move-back [--defaults-file=MY.CNF] [--defaults-group=GROUP-NAME] BACKUP-DIR\n\
 \n\
-innobackupex [--decompress] [--decrypt=ENCRYPTION-ALGORITHM]\n\
+innobackupex [--decompress]\n\
-             [--encrypt-key=LITERAL-ENCRYPTION-KEY] | [--encryption-key-file=MY.KEY]\n\
             [--parallel=NUMBER-OF-FORKS] BACKUP-DIR\n\
 \n\
 DESCRIPTION\n\
@@ -789,15 +726,12 @@ it moves files to their original locations rather than copies them. As this\n\
 option removes backup files, it must be used with caution. It may be useful in\n\
 cases when there is not enough free disk space to copy files.\n\
 \n\
-The --decompress --decrypt command will decrypt and/or decompress a backup made\n\
+The --decompress command will decompress a backup made\n\
-with the --compress and/or --encrypt options. When decrypting, the encryption\n\
+with the --compress option. The\n\
-algorithm and key used when the backup was taken MUST be provided via the\n\
+--parallel option will allow multiple files to be decompressed\n\
-specified options. --decrypt and --decompress may be used together at the same\n\
-time to completely normalize a previously compressed and encrypted backup. The\n\
--parallel option will allow multiple files to be decrypted and/or decompressed\n\
 simultaneously. In order to decompress, the qpress utility MUST be installed\n\
 and accessable within the path. This process will remove the original\n\
-compressed/encrypted files and leave the results in the same location.\n\
+compressed files and leave the results in the same location.\n\
 \n\
 On success the exit code innobackupex is 0. A non-zero exit code \n\
 indicates an error.\n");
@@ -830,14 +764,6 @@ ibx_get_one_option(int optid,
 			opt_ibx_history = "";
 		}
 		break;
-	case OPT_DECRYPT:
-		if (argument == NULL) {
-			ibx_msg("Missing --decrypt argument, must specify a "
-				"valid encryption  algorithm.\n");
-			return(1);
-		}
-		opt_ibx_decrypt = true;
-		break;
 	case OPT_STREAM:
    if (!strcasecmp(argument, "xbstream"))
 			xtrabackup_stream_fmt = XB_STREAM_FMT_XBSTREAM;
@@ -857,15 +783,6 @@ ibx_get_one_option(int optid,
 		}
 		xtrabackup_compress = TRUE;
 		break;
-	case OPT_ENCRYPT:
-		if (argument == NULL)
-		{
-			msg("Missing --encrypt argument, must specify a "
-				"valid encryption algorithm.\n");
-			return 1;
-		}
-		xtrabackup_encrypt = TRUE;
-		break;
 	case 'p':
 		if (argument)
 		{
@@ -919,7 +836,7 @@ ibx_handle_options(int *argc, char ***argv)
 		ibx_mode = IBX_MODE_COPY_BACK;
 	} else if (opt_ibx_move_back) {
 		ibx_mode = IBX_MODE_MOVE_BACK;
-	} else if (opt_ibx_decrypt || opt_ibx_decompress) {
+	} else if (opt_ibx_decompress) {
 		ibx_mode = IBX_MODE_DECRYPT_DECOMPRESS;
 	} else {
 		ibx_mode = IBX_MODE_BACKUP;
@@ -997,8 +914,6 @@ ibx_init()
 	opt_lock_wait_query_type = opt_ibx_lock_wait_query_type;
 	opt_kill_long_query_type = opt_ibx_kill_long_query_type;
-	opt_decrypt_algo = opt_ibx_decrypt_algo;
 	opt_kill_long_queries_timeout = opt_ibx_kill_long_queries_timeout;
 	opt_lock_wait_timeout = opt_ibx_lock_wait_timeout;
 	opt_lock_wait_threshold = opt_ibx_lock_wait_threshold;
@@ -1006,18 +921,12 @@ ibx_init()
 	opt_safe_slave_backup_timeout = opt_ibx_safe_slave_backup_timeout;
 	opt_history = opt_ibx_history;
-	opt_decrypt = opt_ibx_decrypt;
 	/* setup xtrabackup options */
 	xb_close_files = ibx_xb_close_files;
 	xtrabackup_compress_alg = ibx_xtrabackup_compress_alg;
 	xtrabackup_compress_threads = ibx_xtrabackup_compress_threads;
 	xtrabackup_compress_chunk_size = ibx_xtrabackup_compress_chunk_size;
-	xtrabackup_encrypt_algo = ibx_xtrabackup_encrypt_algo;
-	xtrabackup_encrypt_key = ibx_xtrabackup_encrypt_key;
-	xtrabackup_encrypt_key_file = ibx_xtrabackup_encrypt_key_file;
-	xtrabackup_encrypt_threads = ibx_xtrabackup_encrypt_threads;
-	xtrabackup_encrypt_chunk_size = ibx_xtrabackup_encrypt_chunk_size;
 	xtrabackup_export = ibx_xtrabackup_export;
 	xtrabackup_extra_lsndir = ibx_xtrabackup_extra_lsndir;
 	xtrabackup_incremental_basedir = ibx_xtrabackup_incremental_basedir;
@@ -1098,7 +1007,7 @@ ibx_init()
 	case IBX_MODE_DECRYPT_DECOMPRESS:
 		xtrabackup_decrypt_decompress = TRUE;
 		xtrabackup_target_dir = ibx_position_arg;
-		run = "decrypt and decompress";
+		run = "decompress";
 		break;
 	default:
 		ut_error;

--- a/extra/mariabackup/xbcrypt.c
+++ b/extra/mariabackup/xbcrypt.c
--- a/extra/mariabackup/xbcrypt.h
+++ b/extra/mariabackup/xbcrypt.h
-/******************************************************
-Copyright (c) 2011 Percona LLC and/or its affiliates.
-Encryption interface for XtraBackup.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#ifndef XBCRYPT_H
-#define XBCRYPT_H
-#include <my_base.h>
-#include "common.h"
-#define XB_CRYPT_CHUNK_MAGIC1 "XBCRYP01"
-#define XB_CRYPT_CHUNK_MAGIC2 "XBCRYP02"
-#define XB_CRYPT_CHUNK_MAGIC3 "XBCRYP03" /* must be same size as ^^ */
-#define XB_CRYPT_CHUNK_MAGIC_CURRENT XB_CRYPT_CHUNK_MAGIC3
-#define XB_CRYPT_CHUNK_MAGIC_SIZE (sizeof(XB_CRYPT_CHUNK_MAGIC1)-1)
-#define XB_CRYPT_HASH GCRY_MD_SHA256
-#define XB_CRYPT_HASH_LEN 32
-/******************************************************************************
-Write interface */
-typedef struct xb_wcrypt_struct xb_wcrypt_t;
-/* Callback on write for i/o, must return # of bytes written or -1 on error */
-typedef ssize_t xb_crypt_write_callback(void *userdata,
-					const void *buf, size_t len);
-xb_wcrypt_t *xb_crypt_write_open(void *userdata,
-				 xb_crypt_write_callback *onwrite);
-/* Takes buffer, original length, encrypted length iv and iv length, formats
-   output buffer and calls write callback.
-   Returns 0 on success, 1 on error */
-int xb_crypt_write_chunk(xb_wcrypt_t *crypt, const void *buf, size_t olen,
-			 size_t elen, const void *iv, size_t ivlen);
-/* Returns 0 on success, 1 on error */
-int xb_crypt_write_close(xb_wcrypt_t *crypt);
-/******************************************************************************
-Read interface */
-typedef struct xb_rcrypt_struct xb_rcrypt_t;
-/* Callback on read for i/o, must return # of bytes read or -1 on error */
-typedef size_t xb_crypt_read_callback(void *userdata, void *buf, size_t len);
-xb_rcrypt_t *xb_crypt_read_open(void *userdata,
-				  xb_crypt_read_callback *onread);
-typedef enum {
-	XB_CRYPT_READ_CHUNK,
-	XB_CRYPT_READ_INCOMPLETE,
-	XB_CRYPT_READ_EOF,
-	XB_CRYPT_READ_ERROR
-} xb_rcrypt_result_t;
-xb_rcrypt_result_t xb_crypt_read_chunk(xb_rcrypt_t *crypt, void **buf,
-				       size_t *olen, size_t *elen, void **iv,
-				       size_t *ivlen, my_bool *hash_appended);
-int xb_crypt_read_close(xb_rcrypt_t *crypt);
-#endif
--- a/extra/mariabackup/xbcrypt_common.c
+++ b/extra/mariabackup/xbcrypt_common.c
-/******************************************************
-Copyright (c) 2013, 2017 Percona LLC and/or its affiliates.
-Encryption configuration file interface for XtraBackup.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#include <my_base.h>
-#include "common.h"
-#include "xbcrypt.h"
-#include "xbcrypt_common.h"
-/* Encryption options */
-char		*ds_encrypt_key = NULL;
-char		*ds_encrypt_key_file = NULL;
-ulong		ds_encrypt_algo;
-static uint	encrypt_key_len;
-static uint	encrypt_iv_len;
-static const uint encrypt_mode = GCRY_CIPHER_MODE_CTR;
-static uint encrypt_algos[] = { GCRY_CIPHER_NONE, GCRY_CIPHER_AES128,
-				GCRY_CIPHER_AES192, GCRY_CIPHER_AES256 };
-static uint encrypt_algo;
-#if !defined(GCRYPT_VERSION_NUMBER) || (GCRYPT_VERSION_NUMBER < 0x010600)
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-#endif
-my_bool
-xb_crypt_read_key_file(const char *filename, void** key, uint *keylength)
-{
-	FILE *fp;
-	if (!(fp = my_fopen(filename, O_RDONLY, MYF(0)))) {
-		msg("%s:%s: unable to open config file \"%s\", errno(%d)\n",
-			my_progname, __FUNCTION__, filename, my_errno);
-		return FALSE;
-	}
-	fseek(fp, 0 , SEEK_END);
-	*keylength = ftell(fp);
-	rewind(fp);
-	*key = my_malloc(*keylength, MYF(MY_FAE));
-	*keylength = fread(*key, 1, *keylength, fp);
-	my_fclose(fp, MYF(0));
-	return TRUE;
-}
-void
-xb_crypt_create_iv(void* ivbuf, size_t ivlen)
-{
-	gcry_create_nonce(ivbuf, ivlen);
-}
-gcry_error_t
-xb_crypt_init(uint *iv_len)
-{
-	gcry_error_t 		gcry_error;
-	/* Acording to gcrypt docs (and my testing), setting up the threading
-	   callbacks must be done first, so, lets give it a shot */
-#if !defined(GCRYPT_VERSION_NUMBER) || (GCRYPT_VERSION_NUMBER < 0x010600)
-	gcry_error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
-	if (gcry_error) {
-		msg("encryption: unable to set libgcrypt thread cbs - "
-		    "%s : %s\n",
-		    gcry_strsource(gcry_error),
-		    gcry_strerror(gcry_error));
-		return gcry_error;
-	}
-#endif
-	/* Version check should be the very next call because it
-	makes sure that important subsystems are intialized. */
-	if (!gcry_control(GCRYCTL_ANY_INITIALIZATION_P)) {
-		const char	*gcrypt_version;
-		gcrypt_version = gcry_check_version(NULL);
-		/* No other library has already initialized libgcrypt. */
-		if (!gcrypt_version) {
-			msg("encryption: failed to initialize libgcrypt\n");
-			return 1;
-		} else {
-			msg("encryption: using gcrypt %s\n", gcrypt_version);
-		}
-	}
-	/* Disable the gcry secure memory, not dealing with this for now */
-	gcry_error = gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
-	if (gcry_error) {
-		msg("encryption: unable to disable libgcrypt secmem - "
-		    "%s : %s\n",
-		    gcry_strsource(gcry_error),
-		    gcry_strerror(gcry_error));
-		return gcry_error;
-	}
-	/* Finalize gcry initialization. */
-	gcry_error = gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-	if (gcry_error) {
-		msg("encryption: unable to finish libgcrypt initialization - "
-		    "%s : %s\n",
-		    gcry_strsource(gcry_error),
-		    gcry_strerror(gcry_error));
-		return gcry_error;
-	}
-	/* Determine the algorithm */
-	encrypt_algo = encrypt_algos[ds_encrypt_algo];
-	/* Set up the iv length */
-	encrypt_iv_len = gcry_cipher_get_algo_blklen(encrypt_algo);
-	xb_a(encrypt_iv_len > 0);
-	if (iv_len != NULL) {
-		*iv_len = encrypt_iv_len;
-	}
-	/* Now set up the key */
-	if (ds_encrypt_key == NULL &&
-	    ds_encrypt_key_file == NULL) {
-		msg("encryption: no encryption key or key file specified.\n");
-		return gcry_error;
-	} else if (ds_encrypt_key && ds_encrypt_key_file) {
-		msg("encryption: both encryption key and key file specified.\n");
-		return gcry_error;
-	} else if (ds_encrypt_key_file) {
-		if (!xb_crypt_read_key_file(ds_encrypt_key_file,
-					    (void**)&ds_encrypt_key,
-					    &encrypt_key_len)) {
-			msg("encryption: unable to read encryption key file"
-			    " \"%s\".\n", ds_encrypt_key_file);
-			return gcry_error;
-		}
-	} else if (ds_encrypt_key) {
-		encrypt_key_len = strlen(ds_encrypt_key);
-	} else {
-		msg("encryption: no encryption key or key file specified.\n");
-		return gcry_error;
-	}
-	return 0;
-}
-gcry_error_t
-xb_crypt_cipher_open(gcry_cipher_hd_t *cipher_handle)
-{
-	if (encrypt_algo != GCRY_CIPHER_NONE) {
-		gcry_error_t 		gcry_error;
-		gcry_error = gcry_cipher_open(cipher_handle,
-					      encrypt_algo,
-					      encrypt_mode, 0);
-		if (gcry_error) {
-			msg("encryption: unable to open libgcrypt"
-			    " cipher - %s : %s\n",
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			gcry_cipher_close(*cipher_handle);
-			return gcry_error;
-		}
-		gcry_error = gcry_cipher_setkey(*cipher_handle,
-						ds_encrypt_key,
-						encrypt_key_len);
-		if (gcry_error) {
-			msg("encryption: unable to set libgcrypt"
-			    " cipher key - %s : %s\n",
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			gcry_cipher_close(*cipher_handle);
-			return gcry_error;
-		}
-		return gcry_error;
-	}
-	return 0;
-}
-void
-xb_crypt_cipher_close(gcry_cipher_hd_t cipher_handle)
-{
-	if (encrypt_algo != GCRY_CIPHER_NONE)
-		gcry_cipher_close(cipher_handle);
-}
-gcry_error_t
-xb_crypt_decrypt(gcry_cipher_hd_t cipher_handle, const uchar *from,
-		 size_t from_len, uchar *to, size_t *to_len,
-		 const uchar *iv, size_t iv_len, my_bool hash_appended)
-{
-	*to_len = from_len;
-	if (encrypt_algo != GCRY_CIPHER_NONE) {
-		gcry_error_t	gcry_error;
-		gcry_error = gcry_cipher_reset(cipher_handle);
-		if (gcry_error) {
-			msg("%s:encryption: unable to reset libgcrypt"
-			    " cipher - %s : %s\n", my_progname,
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			return gcry_error;
-		}
-		if (iv_len > 0) {
-			gcry_error = gcry_cipher_setctr(cipher_handle,
-							iv, iv_len);
-		}
-		if (gcry_error) {
-			msg("%s:encryption: unable to set cipher iv - "
-			    "%s : %s\n", my_progname,
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			return gcry_error;
-		}
-		/* Try to decrypt it */
-		gcry_error = gcry_cipher_decrypt(cipher_handle, to, *to_len,
-						 from, from_len);
-		if (gcry_error) {
-			msg("%s:encryption: unable to decrypt chunk - "
-			    "%s : %s\n", my_progname,
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			gcry_cipher_close(cipher_handle);
-			return gcry_error;
-		}
-		if (hash_appended) {
-			uchar hash[XB_CRYPT_HASH_LEN];
-			*to_len -= XB_CRYPT_HASH_LEN;
-			/* ensure that XB_CRYPT_HASH_LEN is the correct length
-			of XB_CRYPT_HASH hashing algorithm output */
-			xb_ad(gcry_md_get_algo_dlen(XB_CRYPT_HASH) ==
-			      XB_CRYPT_HASH_LEN);
-			gcry_md_hash_buffer(XB_CRYPT_HASH, hash, to,
-					    *to_len);
-			if (memcmp(hash, (char *) to + *to_len,
-				   XB_CRYPT_HASH_LEN) != 0) {
-				msg("%s:%s invalid plaintext hash. "
-				    "Wrong encrytion key specified?\n",
-				    my_progname, __FUNCTION__);
-				return 1;
-			}
-		}
-	} else {
-		memcpy(to, from, *to_len);
-	}
-	return 0;
-}
-gcry_error_t
-xb_crypt_encrypt(gcry_cipher_hd_t cipher_handle, const uchar *from,
-		 size_t from_len, uchar *to, size_t *to_len, uchar *iv)
-{
-	gcry_error_t 		gcry_error;
-	/* ensure that XB_CRYPT_HASH_LEN is the correct length
-	of XB_CRYPT_HASH hashing algorithm output */
-	xb_ad(gcry_md_get_algo_dlen(XB_CRYPT_HASH) ==
-	      XB_CRYPT_HASH_LEN);
-	memcpy(to, from, from_len);
-	gcry_md_hash_buffer(XB_CRYPT_HASH, to + from_len,
-			    from, from_len);
-	*to_len = from_len;
-	if (encrypt_algo != GCRY_CIPHER_NONE) {
-		gcry_error = gcry_cipher_reset(cipher_handle);
-		if (gcry_error) {
-			msg("encrypt: unable to reset cipher - "
-			    "%s : %s\n",
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			return gcry_error;
-		}
-		xb_crypt_create_iv(iv, encrypt_iv_len);
-		gcry_error = gcry_cipher_setctr(cipher_handle, iv,
-						encrypt_iv_len);
-		if (gcry_error) {
-			msg("encrypt: unable to set cipher ctr - "
-			    "%s : %s\n",
-			    gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			return gcry_error;
-		}
-		gcry_error = gcry_cipher_encrypt(cipher_handle, to,
-						 *to_len + XB_CRYPT_HASH_LEN,
-						 to,
-						 from_len + XB_CRYPT_HASH_LEN);
-		if (gcry_error) {
-			msg("encrypt: unable to encrypt buffer - "
-			    "%s : %s\n", gcry_strsource(gcry_error),
-			    gcry_strerror(gcry_error));
-			return gcry_error;
-		}
-	} else {
-		memcpy(to, from, from_len + XB_CRYPT_HASH_LEN);
-	}
-	*to_len += XB_CRYPT_HASH_LEN;
-	return 0;
-}
-#endif
\ No newline at end of file
--- a/extra/mariabackup/xbcrypt_common.h
+++ b/extra/mariabackup/xbcrypt_common.h
-/******************************************************
-Copyright (c) 2017 Percona LLC and/or its affiliates.
-Encryption datasink implementation for XtraBackup.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#include <my_base.h>
-#if HAVE_GCRYPT
-#if GCC_VERSION >= 4002
-/* Workaround to avoid "gcry_ac_* is deprecated" warnings in gcrypt.h */
-#  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-#endif
-#include <gcrypt.h>
-extern char		*ds_encrypt_key;
-extern char		*ds_encrypt_key_file;
-extern int		ds_encrypt_threads;
-extern ulong		ds_encrypt_algo;
-/******************************************************************************
-Utility interface */
-my_bool xb_crypt_read_key_file(const char *filename,
-			       void** key, uint *keylength);
-void xb_crypt_create_iv(void* ivbuf, size_t ivlen);
-/* Initialize gcrypt and setup encryption key and IV lengths */
-gcry_error_t
-xb_crypt_init(uint *iv_len);
-/* Setup gcrypt cipher */
-gcry_error_t
-xb_crypt_cipher_open(gcry_cipher_hd_t *cipher_handle);
-/* Close gcrypt cipher */
-void
-xb_crypt_cipher_close(gcry_cipher_hd_t cipher_handle);
-/* Decrypt buffer */
-gcry_error_t
-xb_crypt_decrypt(gcry_cipher_hd_t cipher_handle, const uchar *from,
-		 size_t from_len, uchar *to, size_t *to_len, const uchar *iv,
-		 size_t iv_len, my_bool hash_appended);
-/* Encrypt buffer */
-gcry_error_t
-xb_crypt_encrypt(gcry_cipher_hd_t cipher_handle, const uchar *from,
-  size_t from_len, uchar *to, size_t *to_len, uchar *iv);
-#endif
--- a/extra/mariabackup/xbcrypt_read.c
+++ b/extra/mariabackup/xbcrypt_read.c
-/******************************************************
-Copyright (c) 2013 Percona LLC and/or its affiliates.
-The xbcrypt format reader implementation.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#include "xbcrypt.h"
-#include "crc_glue.h"
-struct xb_rcrypt_struct {
-	void				*userdata;
-	xb_crypt_read_callback		*read;
-	void				*buffer;
-	size_t				bufsize;
-	void				*ivbuffer;
-	size_t				ivbufsize;
-	ulonglong			offset;
-};
-xb_rcrypt_t *
-xb_crypt_read_open(void *userdata, xb_crypt_read_callback *onread)
-{
-	xb_rcrypt_t	*crypt;
-	xb_ad(onread);
-	crypt = (xb_rcrypt_t *) my_malloc(sizeof(xb_rcrypt_t), MYF(MY_FAE));
-	crypt->userdata = userdata;
-	crypt->read = onread;
-	crypt->buffer = NULL;
-	crypt->bufsize = 0;
-	crypt->offset = 0;
-	crypt->ivbuffer = NULL;
-	crypt->ivbufsize = 0;
-	return crypt;
-}
-xb_rcrypt_result_t
-xb_crypt_read_chunk(xb_rcrypt_t *crypt, void **buf, size_t *olen, size_t *elen,
-		    void **iv, size_t *ivlen, my_bool *hash_appended)
-{
-	uchar		tmpbuf[XB_CRYPT_CHUNK_MAGIC_SIZE + 8 + 8 + 8 + 4];
-	uchar		*ptr;
-	ulonglong	tmp;
-	ulong		checksum, checksum_exp, version;
-	size_t		bytesread;
-	xb_rcrypt_result_t result = XB_CRYPT_READ_CHUNK;
-	if ((bytesread = crypt->read(crypt->userdata, tmpbuf, sizeof(tmpbuf)))
-	    != sizeof(tmpbuf)) {
-		if (bytesread == 0) {
-			result = XB_CRYPT_READ_EOF;
-			goto err;
-		} else {
-			msg("%s:%s: unable to read chunk header data at "
-			    "offset 0x%llx.\n",
-			    my_progname, __FUNCTION__, crypt->offset);
-			result =  XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-	}
-	ptr = tmpbuf;
-	if (memcmp(ptr, XB_CRYPT_CHUNK_MAGIC3,
-		   XB_CRYPT_CHUNK_MAGIC_SIZE) == 0) {
-		version = 3;
-	} else if (memcmp(ptr, XB_CRYPT_CHUNK_MAGIC2,
-			  XB_CRYPT_CHUNK_MAGIC_SIZE) == 0) {
-		version = 2;
-	} else if (memcmp(ptr, XB_CRYPT_CHUNK_MAGIC1,
-			  XB_CRYPT_CHUNK_MAGIC_SIZE) == 0) {
-		version = 1;
-	} else {
-		msg("%s:%s: wrong chunk magic at offset 0x%llx.\n",
-		    my_progname, __FUNCTION__, crypt->offset);
-		result = XB_CRYPT_READ_ERROR;
-		goto err;
-	}
-	ptr += XB_CRYPT_CHUNK_MAGIC_SIZE;
-	crypt->offset += XB_CRYPT_CHUNK_MAGIC_SIZE;
-	tmp = uint8korr(ptr);	/* reserved */
-	ptr += 8;
-	crypt->offset += 8;
-	tmp = uint8korr(ptr);	/* original size */
-	ptr += 8;
-	if (tmp > INT_MAX) {
-		msg("%s:%s: invalid original size at offset 0x%llx.\n",
-		    my_progname, __FUNCTION__, crypt->offset);
-		result = XB_CRYPT_READ_ERROR;
-		goto err;
-	}
-	crypt->offset += 8;
-	*olen = (size_t)tmp;
-	tmp = uint8korr(ptr);	/* encrypted size */
-	ptr += 8;
-	if (tmp > INT_MAX) {
-		msg("%s:%s: invalid encrypted size at offset 0x%llx.\n",
-		    my_progname, __FUNCTION__, crypt->offset);
-		result = XB_CRYPT_READ_ERROR;
-		goto err;
-	}
-	crypt->offset += 8;
-	*elen = (size_t)tmp;
-	checksum_exp = uint4korr(ptr);	/* checksum */
-	ptr += 4;
-	crypt->offset += 4;
-	/* iv size */
-	if (version == 1) {
-		*ivlen = 0;
-		*iv = 0;
-	} else {
-		if ((bytesread = crypt->read(crypt->userdata, tmpbuf, 8))
-		    != 8) {
-			if (bytesread == 0) {
-				result = XB_CRYPT_READ_EOF;
-				goto err;
-			} else {
-				msg("%s:%s: unable to read chunk iv size at "
-				    "offset 0x%llx.\n",
-				    my_progname, __FUNCTION__, crypt->offset);
-				result =  XB_CRYPT_READ_ERROR;
-				goto err;
-			}
-		}
-		tmp = uint8korr(tmpbuf);
-		if (tmp > INT_MAX) {
-			msg("%s:%s: invalid iv size at offset 0x%llx.\n",
-			    my_progname, __FUNCTION__, crypt->offset);
-			result = XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-		crypt->offset += 8;
-		*ivlen = (size_t)tmp;
-	}
-	if (*ivlen > crypt->ivbufsize) {
-		crypt->ivbuffer = my_realloc(crypt->ivbuffer, *ivlen,
-					     MYF(MY_WME | MY_ALLOW_ZERO_PTR));
-		if (crypt->ivbuffer == NULL) {
-			msg("%s:%s: failed to increase iv buffer to "
-			    "%llu bytes.\n", my_progname, __FUNCTION__,
-			    (ulonglong)*ivlen);
-			result = XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-		crypt->ivbufsize = *ivlen;
-	}
-	if (*ivlen > 0) {
-		if (crypt->read(crypt->userdata, crypt->ivbuffer, *ivlen)
-		    != *ivlen) {
-			msg("%s:%s: failed to read %lld bytes for chunk iv "
-			    "at offset 0x%llx.\n", my_progname, __FUNCTION__,
-			    (ulonglong)*ivlen, crypt->offset);
-			result = XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-		*iv = crypt->ivbuffer;
-	}
-	/* for version euqals 2 we need to read in the iv data but do not init
-	CTR with it */
-	if (version == 2) {
-		*ivlen = 0;
-		*iv = 0;
-	}
-	if (*olen > crypt->bufsize) {
-		crypt->buffer = my_realloc(crypt->buffer, *olen,
-					   MYF(MY_WME | MY_ALLOW_ZERO_PTR));
-		if (crypt->buffer == NULL) {
-			msg("%s:%s: failed to increase buffer to "
-			    "%llu bytes.\n", my_progname, __FUNCTION__,
-			    (ulonglong)*olen);
-			result = XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-		crypt->bufsize = *olen;
-	}
-	if (*elen > 0) {
-		if (crypt->read(crypt->userdata, crypt->buffer, *elen)
-		    != *elen) {
-			msg("%s:%s: failed to read %lld bytes for chunk payload "
-			    "at offset 0x%llx.\n", my_progname, __FUNCTION__,
-			    (ulonglong)*elen, crypt->offset);
-			result = XB_CRYPT_READ_ERROR;
-			goto err;
-		}
-	}
-	checksum = crc32_iso3309(0, crypt->buffer, *elen);
-	if (checksum != checksum_exp) {
-		msg("%s:%s invalid checksum at offset 0x%llx, "
-		    "expected 0x%lx, actual 0x%lx.\n", my_progname, __FUNCTION__,
-		    crypt->offset, checksum_exp, checksum);
-		result = XB_CRYPT_READ_ERROR;
-		goto err;
-	}
-	crypt->offset += *elen;
-	*buf = crypt->buffer;
-	*hash_appended = version > 2;
-	goto exit;
-err:
-	*buf = NULL;
-	*olen = 0;
-	*elen = 0;
-	*ivlen = 0;
-	*iv = 0;
-exit:
-	return result;
-}
-int xb_crypt_read_close(xb_rcrypt_t *crypt)
-{
-	if (crypt->buffer)
-		my_free(crypt->buffer);
-	if (crypt->ivbuffer)
-		my_free(crypt->ivbuffer);
-	my_free(crypt);
-	return 0;
-}
--- a/extra/mariabackup/xbcrypt_write.c
+++ b/extra/mariabackup/xbcrypt_write.c
-/******************************************************
-Copyright (c) 2013 Percona LLC and/or its affiliates.
-The xbcrypt format writer implementation.
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; version 2 of the License.
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
-*******************************************************/
-#include "xbcrypt.h"
-#include "crc_glue.h"
-struct xb_wcrypt_struct {
-	void				*userdata;
-	xb_crypt_write_callback		*write;
-};
-xb_wcrypt_t *
-xb_crypt_write_open(void *userdata, xb_crypt_write_callback *onwrite)
-{
-	xb_wcrypt_t	*crypt;
-	xb_ad(onwrite);
-	crypt = (xb_wcrypt_t *) my_malloc(sizeof(xb_wcrypt_t), MYF(MY_FAE));
-	crypt->userdata = userdata;
-	crypt->write = onwrite;
-	return crypt;
-}
-int xb_crypt_write_chunk(xb_wcrypt_t *crypt, const void *buf, size_t olen,
-			 size_t elen, const void *iv, size_t ivlen)
-{
-	uchar		tmpbuf[XB_CRYPT_CHUNK_MAGIC_SIZE + 8 + 8 + 8 + 4 + 8];
-	uchar		*ptr;
-	ulong		checksum;
-	xb_ad(olen <= INT_MAX);
-	if (olen > INT_MAX)
-		return 0;
-	xb_ad(elen <= INT_MAX);
-	if (elen > INT_MAX)
-		return 0;
-	xb_ad(ivlen <= INT_MAX);
-	if (ivlen > INT_MAX)
-		return 0;
-	ptr = tmpbuf;
-	memcpy(ptr, XB_CRYPT_CHUNK_MAGIC_CURRENT, XB_CRYPT_CHUNK_MAGIC_SIZE);
-	ptr += XB_CRYPT_CHUNK_MAGIC_SIZE;
-	int8store(ptr, (ulonglong)0);	/* reserved */
-	ptr += 8;
-	int8store(ptr, (ulonglong)olen); /* original size */
-	ptr += 8;
-	int8store(ptr, (ulonglong)elen); /* encrypted (actual) size */
-	ptr += 8;
-	checksum = crc32_iso3309(0, buf, elen);
-	int4store(ptr, checksum);	/* checksum */
-	ptr += 4;
-	int8store(ptr, (ulonglong)ivlen); /* iv size */
-	ptr += 8;
-	xb_ad(ptr <= tmpbuf + sizeof(tmpbuf));
-	if (crypt->write(crypt->userdata, tmpbuf, ptr-tmpbuf) == -1)
-		return 1;
-	if (crypt->write(crypt->userdata, iv, ivlen) == -1)
-		return 1;
-	if (crypt->write(crypt->userdata, buf, elen) == -1)
-		return 1;
-	return 0;
-}
-int xb_crypt_write_close(xb_wcrypt_t *crypt)
-{
-	my_free(crypt);
-	return 0;
-}
--- a/extra/mariabackup/xbstream.c
+++ b/extra/mariabackup/xbstream.c
@@ -25,9 +25,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
 #include <my_pthread.h>
 #include "common.h"
 #include "xbstream.h"
-#include "xbcrypt_common.h"
 #include "datasink.h"
-#include "ds_decrypt.h"
 #include "crc_glue.h"
 #define XBSTREAM_VERSION "1.0"
@@ -41,33 +39,18 @@ typedef enum {
 	RUN_MODE_EXTRACT
 } run_mode_t;
-const char *xbstream_encrypt_algo_names[] =
-{ "NONE", "AES128", "AES192", "AES256", NullS};
-TYPELIB xbstream_encrypt_algo_typelib=
-{array_elements(xbstream_encrypt_algo_names)-1,"",
-	xbstream_encrypt_algo_names, NULL};
 /* Need the following definitions to avoid linking with ds_*.o and their link
 dependencies */
 datasink_t datasink_archive;
 datasink_t datasink_xbstream;
 datasink_t datasink_compress;
 datasink_t datasink_tmpfile;
-datasink_t datasink_encrypt;
 datasink_t datasink_buffer;
 static run_mode_t	opt_mode;
 static char *		opt_directory = NULL;
 static my_bool		opt_verbose = 0;
 static int		opt_parallel = 1;
-static ulong 		opt_encrypt_algo;
-static char 		*opt_encrypt_key_file = NULL;
-static void 		*opt_encrypt_key = NULL;
-static int		opt_encrypt_threads = 1;
-enum {
-	OPT_ENCRYPT_THREADS = 256
-};
 static struct my_option my_long_options[] =
 {
@@ -86,20 +69,6 @@ static struct my_option my_long_options[] =
 	{"parallel", 'p', "Number of worker threads for reading / writing.",
 	 &opt_parallel, &opt_parallel, 0, GET_INT, REQUIRED_ARG,
 	 1, 1, INT_MAX, 0, 0, 0},
-	{"decrypt", 'd', "Decrypt files ending with .xbcrypt.",
-	 &opt_encrypt_algo, &opt_encrypt_algo, &xbstream_encrypt_algo_typelib,
-	 GET_ENUM, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"encrypt-key", 'k', "Encryption key.",
-	 &opt_encrypt_key, &opt_encrypt_key, 0,
-	 GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"encrypt-key-file", 'f', "File which contains encryption key.",
-	 &opt_encrypt_key_file, &opt_encrypt_key_file, 0,
-	 GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-	{"encrypt-threads", OPT_ENCRYPT_THREADS,
-	 "Number of threads for parallel data encryption. "
-	 "The default value is 1.",
-	 &opt_encrypt_threads, &opt_encrypt_threads,
-	 0, GET_INT, REQUIRED_ARG, 1, 1, INT_MAX, 0, 0, 0},
 	{0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}
 };
@@ -108,7 +77,6 @@ typedef struct {
 	HASH			*filehash;
 	xb_rstream_t		*stream;
 	ds_ctxt_t		*ds_ctxt;
-	ds_ctxt_t		*ds_decrypt_ctxt;
 	pthread_mutex_t		*mutex;
 } extract_ctxt_t;
@@ -348,19 +316,6 @@ mode_create(int argc, char **argv)
 	return 1;
 }
-/************************************************************************
-Check if string ends with given suffix.
-@return true if string ends with given suffix. */
-static
-my_bool
-ends_with(const char *str, const char *suffix)
-{
-	size_t suffix_len = strlen(suffix);
-	size_t str_len = strlen(str);
-	return(str_len >= suffix_len
-	       && strcmp(str + str_len - suffix_len, suffix) == 0);
-}
 static
 file_entry_t *
 file_entry_new(extract_ctxt_t *ctxt, const char *path, uint pathlen)
@@ -380,11 +335,8 @@ file_entry_new(extract_ctxt_t *ctxt, const char *path, uint pathlen)
 	}
 	entry->pathlen = pathlen;
-	if (ctxt->ds_decrypt_ctxt && ends_with(path, ".xbcrypt")) {
+	file = ds_open(ctxt->ds_ctxt, path, NULL);
-		file = ds_open(ctxt->ds_decrypt_ctxt, path, NULL);
-	} else {
-		file = ds_open(ctxt->ds_ctxt, path, NULL);
-	}
 	if (file == NULL) {
 		msg("%s: failed to create file.\n", my_progname);
 		goto err;
@@ -534,7 +486,6 @@ mode_extract(int n_threads, int argc __attribute__((unused)),
 	xb_rstream_t		*stream = NULL;
 	HASH			filehash;
 	ds_ctxt_t		*ds_ctxt = NULL;
-	ds_ctxt_t		*ds_decrypt_ctxt = NULL;
 	extract_ctxt_t		ctxt;
 	int			i;
 	pthread_t		*tids = NULL;
@@ -574,7 +525,6 @@ mode_extract(int n_threads, int argc __attribute__((unused)),
 	ctxt.stream = stream;
 	ctxt.filehash = &filehash;
 	ctxt.ds_ctxt = ds_ctxt;
-	ctxt.ds_decrypt_ctxt = ds_decrypt_ctxt;
 	ctxt.mutex = &mutex;
 	tids = malloc(sizeof(pthread_t) * n_threads);
@@ -604,9 +554,6 @@ mode_extract(int n_threads, int argc __attribute__((unused)),
 	if (ds_ctxt != NULL) {
 		ds_destroy(ds_ctxt);
 	}
- 	if (ds_decrypt_ctxt) {
- 		ds_destroy(ds_decrypt_ctxt);
- 	}
 	xb_stream_read_done(stream);
 	return ret;

--- a/extra/mariabackup/xtrabackup.cc
+++ b/extra/mariabackup/xtrabackup.cc
@@ -195,19 +195,6 @@ ibool xtrabackup_compress = FALSE;
 uint xtrabackup_compress_threads;
 ulonglong xtrabackup_compress_chunk_size = 0;
-const char *xtrabackup_encrypt_algo_names[] =
-{ "NONE", "AES128", "AES192", "AES256", NullS};
-TYPELIB xtrabackup_encrypt_algo_typelib=
-{array_elements(xtrabackup_encrypt_algo_names)-1,"",
-	xtrabackup_encrypt_algo_names, NULL};
-ibool xtrabackup_encrypt = FALSE;
-ulong xtrabackup_encrypt_algo;
-char *xtrabackup_encrypt_key = NULL;
-char *xtrabackup_encrypt_key_file = NULL;
-uint xtrabackup_encrypt_threads;
-ulonglong xtrabackup_encrypt_chunk_size = 0;
 /* sleep interval beetween log copy iterations in log copying thread
 in milliseconds (default is 1 second) */
 ulint xtrabackup_log_copy_interval = 1000;
@@ -366,8 +353,6 @@ TYPELIB query_type_typelib= {array_elements(query_type_names) - 1, "",
 ulong opt_lock_wait_query_type;
 ulong opt_kill_long_query_type;
-ulong opt_decrypt_algo = 0;
 uint opt_kill_long_queries_timeout = 0;
 uint opt_lock_wait_timeout = 0;
 uint opt_lock_wait_threshold = 0;
@@ -375,7 +360,6 @@ uint opt_debug_sleep_before_unlock = 0;
 uint opt_safe_slave_backup_timeout = 0;
 const char *opt_history = NULL;
-my_bool opt_decrypt = FALSE;
 #if defined(HAVE_OPENSSL)
 my_bool opt_ssl_verify_server_cert = FALSE;
@@ -501,11 +485,6 @@ enum options_xtrabackup
  OPT_XTRA_COMPRESS,
  OPT_XTRA_COMPRESS_THREADS,
  OPT_XTRA_COMPRESS_CHUNK_SIZE,
-  OPT_XTRA_ENCRYPT,
-  OPT_XTRA_ENCRYPT_KEY,
-  OPT_XTRA_ENCRYPT_KEY_FILE,
-  OPT_XTRA_ENCRYPT_THREADS,
-  OPT_XTRA_ENCRYPT_CHUNK_SIZE,
  OPT_LOG,
  OPT_INNODB,
  OPT_INNODB_CHECKSUMS,
@@ -576,7 +555,6 @@ enum options_xtrabackup
  OPT_DECOMPRESS,
  OPT_INCREMENTAL_HISTORY_NAME,
  OPT_INCREMENTAL_HISTORY_UUID,
-  OPT_DECRYPT,
  OPT_REMOVE_ORIGINAL,
  OPT_LOCK_WAIT_QUERY_TYPE,
  OPT_KILL_LONG_QUERY_TYPE,
@@ -699,29 +677,6 @@ struct my_option xb_client_options[] =
   (G_PTR*) &xtrabackup_compress_chunk_size, (G_PTR*) &xtrabackup_compress_chunk_size,
   0, GET_ULL, REQUIRED_ARG, (1 << 16), 1024, ULONGLONG_MAX, 0, 0, 0},
-  {"encrypt", OPT_XTRA_ENCRYPT, "Encrypt individual backup files using the "
-   "specified encryption algorithm.",
-   &xtrabackup_encrypt_algo, &xtrabackup_encrypt_algo,
-   &xtrabackup_encrypt_algo_typelib, GET_ENUM, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-  {"encrypt-key", OPT_XTRA_ENCRYPT_KEY, "Encryption key to use.",
-   (G_PTR*) &xtrabackup_encrypt_key, (G_PTR*) &xtrabackup_encrypt_key, 0,
-   GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-  {"encrypt-key-file", OPT_XTRA_ENCRYPT_KEY_FILE, "File which contains encryption key to use.",
-   (G_PTR*) &xtrabackup_encrypt_key_file, (G_PTR*) &xtrabackup_encrypt_key_file, 0,
-   GET_STR_ALLOC, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-  {"encrypt-threads", OPT_XTRA_ENCRYPT_THREADS,
-   "Number of threads for parallel data encryption. The default value is 1.",
-   (G_PTR*) &xtrabackup_encrypt_threads, (G_PTR*) &xtrabackup_encrypt_threads,
-   0, GET_UINT, REQUIRED_ARG, 1, 1, UINT_MAX, 0, 0, 0},
-  {"encrypt-chunk-size", OPT_XTRA_ENCRYPT_CHUNK_SIZE,
-   "Size of working buffer(S) for encryption threads in bytes. The default value is 64K.",
-   (G_PTR*) &xtrabackup_encrypt_chunk_size, (G_PTR*) &xtrabackup_encrypt_chunk_size,
-   0, GET_ULL, REQUIRED_ARG, (1 << 16), 1024, ULONGLONG_MAX, 0, 0, 0},
  {"incremental-force-scan", OPT_XTRA_INCREMENTAL_FORCE_SCAN,
   "Perform a full-scan incremental backup even in the presence of changed "
   "page bitmap data",
@@ -892,18 +847,6 @@ struct my_option xb_client_options[] =
   (uchar*) &opt_incremental_history_uuid, 0, GET_STR,
   REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
-  {"decrypt", OPT_DECRYPT, "Decrypts all files with the .xbcrypt "
-   "extension in a backup previously made with --encrypt option.",
-   &opt_decrypt_algo, &opt_decrypt_algo,
-   &xtrabackup_encrypt_algo_typelib, GET_ENUM, REQUIRED_ARG,
-   0, 0, 0, 0, 0, 0},
-  {"remove-original", OPT_REMOVE_ORIGINAL, "Remove .qp and .xbcrypt files "
-   "after decryption and decompression.",
-   (uchar *) &opt_remove_original,
-   (uchar *) &opt_remove_original,
-   0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
  {"ftwrl-wait-query-type", OPT_LOCK_WAIT_QUERY_TYPE,
   "This option specifies which types of queries are allowed to complete "
   "before innobackupex will issue the global lock. Default is all.",
@@ -1421,24 +1364,6 @@ xb_get_one_option(int optid,
    }
    xtrabackup_compress = TRUE;
    break;
-  case OPT_XTRA_ENCRYPT:
-    if (argument == NULL)
-    {
-      msg("Missing --encrypt argument, must specify a valid encryption "
-          " algorithm.\n");
-      return 1;
-    }
-    xtrabackup_encrypt = TRUE;
-    break;
-  case OPT_DECRYPT:
-    if (argument == NULL) {
-      msg("Missing --decrypt argument, must specify a "
-          "valid encryption  algorithm.\n");
-      return(1);
-    }
-    opt_decrypt = TRUE;
-    xtrabackup_decrypt_decompress = true;
-    break;
  case OPT_DECOMPRESS:
    opt_decompress = TRUE;
    xtrabackup_decrypt_decompress = true;
@@ -2377,25 +2302,13 @@ xb_get_copy_action(const char *dflt)
 	if (xtrabackup_stream) {
 		if (xtrabackup_compress) {
-			if (xtrabackup_encrypt) {
+			action = "Compressing and streaming";
-				action = "Compressing, encrypting and streaming";
-			} else {
-				action = "Compressing and streaming";
-			}
-		} else if (xtrabackup_encrypt) {
-			action = "Encrypting and streaming";
 		} else {
 			action = "Streaming";
 		}
 	} else {
 		if (xtrabackup_compress) {
-			if (xtrabackup_encrypt) {
+			action = "Compressing";
-				action = "Compressing and encrypting";
-			} else {
-				action = "Compressing";
-			}
-		} else if (xtrabackup_encrypt) {
-			action = "Encrypting";
 		} else {
 			action = dflt;
 		}
@@ -3069,28 +2982,6 @@ xtrabackup_init_datasinks(void)
 		ds_redo = ds_meta = ds_data;
 	}
-	/* Encryption */
-	if (xtrabackup_encrypt) {
-		ds_ctxt_t	*ds;
-		ds = ds_create(xtrabackup_target_dir, DS_TYPE_ENCRYPT);
-		xtrabackup_add_datasink(ds);
-		ds_set_pipe(ds, ds_data);
-		if (ds_data != ds_meta) {
-			ds_data = ds;
-			ds = ds_create(xtrabackup_target_dir, DS_TYPE_ENCRYPT);
-			xtrabackup_add_datasink(ds);
-			ds_set_pipe(ds, ds_meta);
-			ds_redo = ds_meta = ds;
-		} else {
-			ds_redo = ds_data = ds_meta = ds;
-		}
-	}
 	/* Compression for ds_data and ds_redo */
 	if (xtrabackup_compress) {
 		ds_ctxt_t	*ds;
@@ -6726,8 +6617,6 @@ xb_init()
 	if (opt_decompress) {
 		mixed_options[n_mixed_options++] = "--decompress";
-	} else if (opt_decrypt) {
-		mixed_options[n_mixed_options++] = "--decrypt";
 	}
 	if (xtrabackup_copy_back) {

--- a/extra/mariabackup/xtrabackup.h
+++ b/extra/mariabackup/xtrabackup.h
@@ -81,7 +81,6 @@ extern char		*xtrabackup_tables_exclude;
 extern char		*xtrabackup_databases_exclude;
 extern ibool		xtrabackup_compress;
-extern ibool		xtrabackup_encrypt;
 extern my_bool		xtrabackup_backup;
 extern my_bool		xtrabackup_prepare;
@@ -92,15 +91,10 @@ extern my_bool		xtrabackup_decrypt_decompress;
 extern char		*innobase_data_file_path;
 extern char		*innobase_doublewrite_file;
-extern char		*xtrabackup_encrypt_key;
-extern char		*xtrabackup_encrypt_key_file;
 extern longlong		innobase_log_file_size;
 extern long		innobase_log_files_in_group;
 extern longlong		innobase_page_size;
-extern const char	*xtrabackup_encrypt_algo_names[];
-extern TYPELIB		xtrabackup_encrypt_algo_typelib;
 extern int		xtrabackup_parallel;
 extern my_bool		xb_close_files;
@@ -113,9 +107,6 @@ extern "C"{
 #ifdef __cplusplus
 }
 #endif
-extern ulong		xtrabackup_encrypt_algo;
-extern uint		xtrabackup_encrypt_threads;
-extern ulonglong	xtrabackup_encrypt_chunk_size;
 extern my_bool		xtrabackup_export;
 extern char		*xtrabackup_incremental_basedir;
 extern char		*xtrabackup_extra_lsndir;
@@ -158,8 +149,6 @@ extern TYPELIB		query_type_typelib;
 extern ulong		opt_lock_wait_query_type;
 extern ulong		opt_kill_long_query_type;
-extern ulong		opt_decrypt_algo;
 extern uint		opt_kill_long_queries_timeout;
 extern uint		opt_lock_wait_timeout;
 extern uint		opt_lock_wait_threshold;
@@ -167,7 +156,6 @@ extern uint		opt_debug_sleep_before_unlock;
 extern uint		opt_safe_slave_backup_timeout;
 extern const char	*opt_history;
-extern my_bool		opt_decrypt;
 enum binlog_info_enum { BINLOG_INFO_OFF, BINLOG_INFO_LOCKLESS, BINLOG_INFO_ON,
 			BINLOG_INFO_AUTO};