Encryption RMAN Backup
There are 2 configurable items related with RMAN encryption backup :
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
And there’s a snippet in Oracle Document:
- To create encrypted backups on disk, the database must use the Advanced Security Option.
- To create encrypted backups directly on tape, RMAN must use the Oracle Secure Backup SBT interface, but does not require the Advanced Security Option.
Here’s a test scenario of encryption RMAN backup sets on disk:
1) use Oracle Wallet Manager to store the encryption key
Add the following to sqlnet.ora on the host that you are backing up:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/ORCL/wallet)
)
)
2) create a wallet used by transparent data encryption
If no wallet exists in the default or specified locations, transparent data encryption creates a wallet when setting the master key for the first time. A wallet is not be created if the WALLET_LOCATION parameter in the sqlnet.ora file does not specify a valid path.
The password specified in the SQL command for setting the master key becomes the password to open the wallet.
SQL> alter system set encryption key identified by "SuperSecret"; System altered. [oracle@ottawa3 admin]$ ls -ltr /u01/app/oracle/admin/ORCL/wallet total 8 -rw-r--r-- 1 oracle oinstall 1573 Jan 11 14:51 ewallet.p12 set linesize 120 col wrl_parameter format a45 select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS -------------------- --------------------------------------------- ------------------ file /u01/app/oracle/admin/ORCL/wallet OPEN
In case of a DB bounce, wallet needs to be re-opened :
alter system set encryption wallet open identified by "SuperSecret";
3) configure RMAN to use encryption
CONFIGURE ENCRYPTION FOR DATABASE ON; CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # this is the default encryption algorithm, for other available algorithms refer to v$rman_encryption_algorithm
4) test encryption
First disable encryption backup, take a full backup of DB, insert some words into DB, take a in incremental backup, these words can be find by hexdump -C $backup_set_handle | grep … ;
Then enable encryption backup, insert some new words, search the new backup set handle by hexdump returns nothing this time :
backup incremental level 0 database; CONFIGURE ENCRYPTION FOR DATABASE OFF; insert into scott.dept (deptno, dname, loc) values (91, 'encryption','test1'); backup incremental level 1 CUMULATIVE database; [oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T180044_6lz10y13_.bkp | grep encryption 00023f30 02 c1 5c 0a 65 6e 63 72 79 70 74 69 6f 6e 05 74 |..\.encryption.t| CONFIGURE ENCRYPTION FOR DATABASE ON; insert into scott.dept (deptno, dname, loc) values (92, 'Superencryp','test2'); backup incremental level 1 CUMULATIVE database; [oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T181345_6lz1sbbb_.bkp | grep Superencryp [oracle@ottawa3]$
5) restore backup
Need to make sure wallet is open.
If restore to another server, need to copy wallet file, set ENCRYPTION_WALLET_LOCATION , and open wallet.
if you try to restore backup to a standby database, you will get following error when opening the wallet in mount mode: :
SQL> alter system set encryption key identified by "SuperSecret"; alter system set encryption key identified by "SuperSecret" * ERROR at line 1: ORA-28388: database is not open in read/write mode
6) when there’s a standby
if encryption RMAN backup is enabled on primary , MRP process on standby will stopped with error :
ORA-28365: wallet is not open
as per MOS note : Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2 [ID 389958.1] to make transparent data encryption work with physical standby, you need to
- copy wallet file manually
- specify ENCRYPTION_WALLET_LOCATION
- set the wallet in auto-login mode : orapki wallet create -wallet “wallet_location” -auto_login -pwd “……”
