Encryption RMAN Backup

Posted in: Technical Track

There are 2 configurable items related with RMAN encryption backup :

CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

And there’s a snippet in Oracle Document:

  • To create encrypted backups on disk, the database must use the Advanced Security Option.
  • To create encrypted backups directly on tape, RMAN must use the Oracle Secure Backup SBT interface, but does not require the Advanced Security Option.

Here’s a test scenario of encryption RMAN backup sets on disk:

1) use Oracle Wallet Manager to store the encryption key

Add the following to sqlnet.ora on the host that you are backing up:

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
        (DIRECTORY = /u01/app/oracle/admin/ORCL/wallet)
    )
)

2) create a wallet used by transparent data encryption

If no wallet exists in the default or specified locations, transparent data encryption creates a wallet when setting the master key for the first time. A wallet is not be created if the WALLET_LOCATION parameter in the sqlnet.ora file does not specify a valid path.
The password specified in the SQL command for setting the master key becomes the password to open the wallet.

SQL> alter system set encryption key identified by "SuperSecret";

System altered.
[oracle@ottawa3 admin]$ ls -ltr /u01/app/oracle/admin/ORCL/wallet
total 8
-rw-r--r-- 1 oracle oinstall 1573 Jan 11 14:51 ewallet.p12

set linesize 120
col wrl_parameter format a45
select * from v$encryption_wallet;

WRL_TYPE             WRL_PARAMETER                                 STATUS
-------------------- --------------------------------------------- ------------------
file                 /u01/app/oracle/admin/ORCL/wallet             OPEN

In case of a DB bounce, wallet needs to be re-opened :

alter system set encryption wallet open identified by "SuperSecret";

3) configure RMAN to use encryption

CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # this is the default encryption algorithm, for other available algorithms refer to v$rman_encryption_algorithm

4) test encryption

First disable encryption backup, take a full backup of DB, insert some words into DB, take a in incremental backup, these words can be find by hexdump -C $backup_set_handle | grep … ;
Then enable encryption backup, insert some new words, search the new backup set handle by hexdump returns nothing this time :

backup incremental level 0 database;

CONFIGURE ENCRYPTION FOR DATABASE OFF;
insert into scott.dept (deptno, dname, loc) values (91, 'encryption','test1');
backup incremental level 1 CUMULATIVE database;
[oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T180044_6lz10y13_.bkp | grep encryption
00023f30  02 c1 5c 0a 65 6e 63 72  79 70 74 69 6f 6e 05 74  |..\.encryption.t|

CONFIGURE ENCRYPTION FOR DATABASE ON;
insert into scott.dept (deptno, dname, loc) values (92, 'Superencryp','test2');
backup incremental level 1 CUMULATIVE database;
[oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T181345_6lz1sbbb_.bkp | grep Superencryp
[oracle@ottawa3]$

5) restore backup

Need to make sure wallet is open.
If restore to another server, need to copy wallet file, set ENCRYPTION_WALLET_LOCATION , and open wallet.
if you try to restore backup to a standby database, you will get following error when opening the wallet in mount mode: :

SQL> alter system set encryption key identified by "SuperSecret";
alter system set encryption key identified by "SuperSecret"
*
ERROR at line 1:
ORA-28388: database is not open in read/write mode

6) when there’s a standby

if encryption RMAN backup is enabled on primary , MRP process on standby will stopped with error :

ORA-28365: wallet is not open

as per MOS note : Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2 [ID 389958.1] to make transparent data encryption work with physical standby, you need to

  • copy wallet file manually
  • specify ENCRYPTION_WALLET_LOCATION
  • set the wallet in auto-login mode : orapki wallet create -wallet “wallet_location” -auto_login -pwd “……”

Interested in working with Jasmine? Schedule a tech call.

2 Comments. Leave new

To use these feature will I need a separate additional license for it?

Reply

As per oracle document “To create encrypted backups on disk, the database must use the Advanced Security Option”
I am also interested to know if any free or low cost solution exist to encrypt rman backup to disk, either on the fly or once the backup has completed.
Thanks,
Yogesh

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *