There are 2 configurable items related with RMAN encryption backup :
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
And there’s a snippet in Oracle Document:
- To create encrypted backups on disk, the database must use the Advanced Security Option.
- To create encrypted backups directly on tape, RMAN must use the Oracle Secure Backup SBT interface, but does not require the Advanced Security Option.
Here’s a test scenario of encryption RMAN backup sets on disk:
1) use Oracle Wallet Manager to store the encryption key
Add the following to sqlnet.ora on the host that you are backing up:
ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/ORCL/wallet)
)
)
2) create a wallet used by transparent data encryption
If no wallet exists in the default or specified locations, transparent data encryption creates a wallet when setting the master key for the first time. A wallet is not be created if the WALLET_LOCATION parameter in the sqlnet.ora file does not specify a valid path.
The password specified in the SQL command for setting the master key becomes the password to open the wallet.
SQL> alter system set encryption key identified by "SuperSecret"; System altered. [[email protected] admin]$ ls -ltr /u01/app/oracle/admin/ORCL/wallet total 8 -rw-r--r-- 1 oracle oinstall 1573 Jan 11 14:51 ewallet.p12 set linesize 120 col wrl_parameter format a45 select * from v$encryption_wallet; WRL_TYPE WRL_PARAMETER STATUS -------------------- --------------------------------------------- ------------------ file /u01/app/oracle/admin/ORCL/wallet OPEN
In case of a DB bounce, wallet needs to be re-opened :
alter system set encryption wallet open identified by "SuperSecret";
3) configure RMAN to use encryption
CONFIGURE ENCRYPTION FOR DATABASE ON; CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # this is the default encryption algorithm, for other available algorithms refer to v$rman_encryption_algorithm
4) test encryption
First disable encryption backup, take a full backup of DB, insert some words into DB, take a in incremental backup, these words can be find by hexdump -C $backup_set_handle | grep … ;
Then enable encryption backup, insert some new words, search the new backup set handle by hexdump returns nothing this time :
backup incremental level 0 database; CONFIGURE ENCRYPTION FOR DATABASE OFF; insert into scott.dept (deptno, dname, loc) values (91, 'encryption','test1'); backup incremental level 1 CUMULATIVE database; [[email protected]]$ hexdump -C o1_mf_nnnd1_TAG20110113T180044_6lz10y13_.bkp | grep encryption 00023f30 02 c1 5c 0a 65 6e 63 72 79 70 74 69 6f 6e 05 74 |..\.encryption.t| CONFIGURE ENCRYPTION FOR DATABASE ON; insert into scott.dept (deptno, dname, loc) values (92, 'Superencryp','test2'); backup incremental level 1 CUMULATIVE database; [[email protected]]$ hexdump -C o1_mf_nnnd1_TAG20110113T181345_6lz1sbbb_.bkp | grep Superencryp [[email protected]]$
5) restore backup
Need to make sure wallet is open.
If restore to another server, need to copy wallet file, set ENCRYPTION_WALLET_LOCATION , and open wallet.
if you try to restore backup to a standby database, you will get following error when opening the wallet in mount mode: :
SQL> alter system set encryption key identified by "SuperSecret"; alter system set encryption key identified by "SuperSecret" * ERROR at line 1: ORA-28388: database is not open in read/write mode
6) when there’s a standby
if encryption RMAN backup is enabled on primary , MRP process on standby will stopped with error :
ORA-28365: wallet is not open
as per MOS note : Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2 [ID 389958.1] to make transparent data encryption work with physical standby, you need to
- copy wallet file manually
- specify ENCRYPTION_WALLET_LOCATION
- set the wallet in auto-login mode : orapki wallet create -wallet “wallet_location” -auto_login -pwd “……”
4 Comments. Leave new
To use these feature will I need a separate additional license for it?
As per oracle document “To create encrypted backups on disk, the database must use the Advanced Security Option”
I am also interested to know if any free or low cost solution exist to encrypt rman backup to disk, either on the fly or once the backup has completed.
Thanks,
Yogesh
Hi Yogesh
You can check out for Password protected RMAN backups. A password is provided before running backup and while restoring, same password will be needed to decrypt. It is one easy way to secure rman backups stored on disks like nfs shares.
Regards,
Maaz
It is very important, To encrypted the backups also from the external attack from the viruses, and the rman backup, is a kind of backup to help the test encryption and restore the backup with the proper secured way also.