Oracle 11g encrypted backup

Reprint please indicate the source:


There are three kinds of Oracle encryption methods: transparent encryption, password encryption, double mode encryption.



By default, Oracle will close the encryption function:
RMAN> show all;
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default


sys@OCP> SELECT ALGORITHM_ID,ALGORITHM_NAME FROM V$RMAN_ENCRYPTION_ALGORITHMS;


ALGORITHM_ID ALGORITHM_NAME
------------ ----------------------------------------------------------------
1 AES128
2 AES192
3 AES256




1, Transparent encryption (table TP1)
If you want to configure the transparent encryption, the RMAN using the CONFIGURE command, transparent encryption is also called the wallet encryption, which is the default encryption method of RMAN.
This method does not need to set a password, it is suitable for the local backup and recovery, if the backup does not need to other machines, recommend the use of encryption methods such.
Because the password is not required, only need to configure encryption / decryption credentials, or Oracle Encryption Wallet



(1)Set up a transparent encryption, ensure that the wallet is open
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;


new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored


RMAN> set encryption on;


executing command: SET encryption


(2)Perform a backup, error. (Note: you must open the database wallet)


RMAN> backup as compressed backupset tablespace tp1;


Starting backup at 17-FEB-14
using channel ORA_DISK_1
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: starting piece 1 at 17-FEB-14
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 02/17/2014 12:28:11
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open




(3)Create a new directory, and designated as Wallet directory/u01/app/oracle/admin/ocp/wallet


[oracle@mydb ocp]$ mkdir -p /u01/app/oracle/admin/ocp/wallet




The configuration of sqlnet.ora (not provided)
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/ocp/wallet)
))


(4)Enter the SQLPLUS program, open the wallet, create wallet, including passwords, trust, and start the wallet file generation.
First check the view V$ENCRYPTION_WALLET wallet is not open
sys@OCP> col WRL_PARAMETER for a50
sys@OCP> SELECT * FROM V$ENCRYPTION_WALLET;


WRL_TYPE WRL_PARAMETER STATUS
-------------------- -------------------------------------------------- ------------------
file /u01/app/oracle/admin/ocp/wallet CLOSED


idle> alter system set wallet open identified by "guoyJoe";


System altered.




(5)A simple test
RMAN> backup as compressed backupset tablespace tp1;


Starting backup at 17-FEB-14
using channel ORA_DISK_1
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: starting piece 1 at 17-FEB-14
channel ORA_DISK_1: finished piece 1 at 17-FEB-14
piece handle=/u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1 tag=TAG20140217T134423 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:15
Finished backup at 17-FEB-14


Starting Control File and SPFILE Autobackup at 17-FEB-14
piece handle=/backup/c-2735927810-20140217-02 comment=NONE
Finished Control File and SPFILE Autobackup at 17-FEB-14


RMAN> shutdown immediate;


database closed
database dismounted
Oracle instance shut down


RMAN> startup mount;


connected to target database (not started)
Oracle instance started
database mounted


Total System Global Area 1006809088 bytes


Fixed Size 2233520 bytes
Variable Size 478153552 bytes
Database Buffers 419430400 bytes
Redo Buffers 106991616 bytes


RMAN> restore tablespace tp1;


Starting restore at 17-FEB-14
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=18 device type=DISK


channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 02/17/2014 13:45:32
ORA-19870: error while restoring backup piece /u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open


RMAN> sql 'alter system set wallet open identified by "guoyJoe"';


sql statement: alter system set wallet open identified by "guoyJoe"


RMAN> restore tablespace tp1;


Starting restore at 17-FEB-14
using channel ORA_DISK_1


channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1
channel ORA_DISK_1: piece handle=/u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1 tag=TAG20140217T134423
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:25
Finished restore at 17-FEB-14


RMAN> recover tablespace tp1;


Starting recover at 17-FEB-14
using channel ORA_DISK_1


starting media recovery
media recovery complete, elapsed time: 00:00:00


Finished recover at 17-FEB-14


RMAN> alter database open;


database opened


2, Password encryption (table TP1)


Encryption for a specific backup enable password, use the SET ENCRYPTION command, as shown below:


gyj@OCP> SELECT * FROM V$ENCRYPTION_WALLET;


WRL_TYPE WRL_PARAMETER STATUS
-------------------- -------------------------------------------------- ------------------
file /u01/app/oracle/admin/ocp/wallet CLOSED


RMAN> CONFIGURE ENCRYPTION FOR DATABASE off;


RMAN> show all;
CONFIGURE ENCRYPTION FOR DATABASE OFF;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default




RMAN> shutdown immediate;


database closed
database dismounted
Oracle instance shut down


RMAN> startup mount;


connected to target database (not started)
Oracle instance started
database mounted


Total System Global Area 1006809088 bytes


Fixed Size 2233520 bytes
Variable Size 478153552 bytes
Database Buffers 419430400 bytes
Redo Buffers 106991616 bytes


RMAN> set encryption on identified by "guoyJoe123" only;


executing command: SET encryption


RMAN> backup as compressed backupset tablespace tp1;


Starting backup at 17-FEB-14
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=18 device type=DISK
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00006 name=/u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: starting piece 1 at 17-FEB-14
channel ORA_DISK_1: finished piece 1 at 17-FEB-14
piece handle=/u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1 tag=TAG20140217T183811 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:15
Finished backup at 17-FEB-14


Starting Control File and SPFILE Autobackup at 17-FEB-14
piece handle=/backup/c-2735927810-20140217-0a comment=NONE
Finished Control File and SPFILE Autobackup at 17-FEB-14


RMAN> alter database open;


database opened


RMAN> shutdown immediate;


database closed
database dismounted
Oracle instance shut down




---Remove table space in the TP1 data file
[oracle@mydb ocm]$ rm -rf tp1.dbf




RMAN> startup mount;


connected to target database (not started)
Oracle instance started
database mounted


Total System Global Area 1006809088 bytes


Fixed Size 2233520 bytes
Variable Size 478153552 bytes
Database Buffers 419430400 bytes
Redo Buffers 106991616 bytes


RMAN> restore tablespace tp1;


Starting restore at 17-FEB-14
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=18 device type=DISK


channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 02/17/2014 18:39:50
ORA-19870: error while restoring backup piece /u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open




RMAN> set decryption identified by "guoyJoe123";


executing command: SET decryption
using target database control file instead of recovery catalog


RMAN> restore tablespace tp1;


Starting restore at 17-FEB-14
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=1 device type=DISK


channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/ocm/tp1.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1
channel ORA_DISK_1: piece handle=/u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1 tag=TAG20140217T183811
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:25
Finished restore at 17-FEB-14


RMAN> recover tablespace tp1;


Starting recover at 17-FEB-14
using channel ORA_DISK_1


starting media recovery
media recovery complete, elapsed time: 00:00:00


Finished recover at 17-FEB-14


RMAN> alter database open;


database opened




3, Dual mode encryption
You can also use the transparent encryption and password encryption. If you use the backup restore and recovery in the same database, and sometimes use a database backup and recovery,
This is a useful approach. If the two methods are effective, can use the password or database to restore the backup wallet. Back to the remote database, a password must be specified before restoring,
As shown below:
RMAN> set encryption on;


executing command: SET encryption


RMAN> set encryption identified by "guoyJoe12345";


executing command: SET encryption


RMAN>
If only for the backup password based encryption, please add ONLY clauses of SET ENCRYPTION:


RMAN> set encryption identified by "guoyJoe12345" only;


executing command: SET encryption


The results, even if the ENCRYPTION is set to ON by default (and therefore will use the wallet encryption method),
All subsequent backup only use password encryption, it continued to turn off password or completely withdraw from the RMAN.


Dual mode encryption is in front of the mixed mode in 2 ways, can no longer continue to test.

Posted by Francis at May 25, 2014 - 9:39 AM