Wednesday, January 14, 2009

RMAN Backup Encryption

Summary

Oracle backups are necessary to ensure that data is not lost in the event of hardware failures. RMAN is the Oracle recommended way to backup Oracle databases. RMAN has significantly improve Oracle database backups through multi-threaded hot backups, compression, simplified recovery and others. However backups are a way the database data could be exposed. Oracle backups by default are not encrypted and therefore unprotected should the backup be exposed to outside copies that are capable of being restored sue to lack of protection. So how to protect RMAN backups from being able to be restored by unauthorized persons and exposing the data? The answer is encrypting the RMAN backups. RMAN backup encryption requires the use of the Advanced Security Option (ASO). Advanced Security Option requires an additional license therefore before using check your Oracle license and ensure you are authorized to use the Advanced Security Option. Keep in mind that image and datafile copies can not be encrypted.

Oracle offers several flavors for encrypting the RMAN backups:

1. Transparent Encryption -> Requires Wallet on backup and recovery. (Do Not Lose the Wallet!)

2. Password Only -> Required Password on backup and recovery (Do Not Lose Password!)

3. Dual (Password or Transparent Encryption) -> Can be backed up or restored using the password or a wallet. This works well where database is restored locally where the wallet exists, but has a need to be able to be restored off site where the wallet does not exist.

When restoring encrypted backups Oracle RMAN always assumes transparent encryption using a wallet. Therefore during a restore operation and using transparent data encryption ensure the wallet is open, when using password only the password must be supplied, when using dual either the wallet must be open or the password must be supplied.

Setup and Create a Wallet for TDE


1. Set the encryptrion wallet location in the sqlnet.ora file on the database server
Unix server sqlnet.ora
ENCRYPTION_WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY= /cnd7bsw/oracle/network/admin/encrypt)
)
)
WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY= /cnd7bsw/oracle/network/admin/authent)
)
)
SQLNET.WALLET_OVERRIDE = TRUE
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 0

2. Create the wallet
o Ensure the oracle account running the database has permissions on the encryption wallet directory defined in the sqlnet.ora file or an ORA-28368: cannot auto-create wallet will occur.
o sqlplus “/ AS SYSDBA”
o SQL> ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY “mypass” ;

Opening and Closing the Wallet

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password>
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE

Encrypting the RMAN Backup

1. Check the available algorithms for encryption.
SELECT * FROM v$rman_encryption_algorithms ORDER BY algorithm_name ;

ALGORITHM_ID ALGORITHM_NAME
------------ ----------------------------------------------------------------
ALGORITHM_DESCRIPTION IS_ RES
---------------------------------------------------------------- --- ---
1 AES128
AES 128-bit key YES NO

2 AES192
AES 192-bit key NO NO

3 AES256
AES 256-bit key NO NO


2. Set the Backup Encryption Type via RMAN

Connect to the target database and RMAN catalog database if being used. Within RMAN set the encryption type via an RMAN configure command. This setting will be stored within the database control file and the RMAN catalog if one is being used.

RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES192';


3. Configure the encryption for the backup

Transparent Backup Encryption (Requires Wallet)
CONFIGURE ENCRYPTION FOR DATABASE ON ;

Turn Encryption off

CONFIGURE ENCRYPTION FOR DATABASE OFF ;

Password Only Encryption

SET ENCRYPTION ON IDENTIFIED BY password ONLY ;

Dual Password/Transparent Encryption

SET ENCRYPTION ON IDENTIFIED BY password ;


4. Execute the backup Database Backup Encrypted

Transparent Encryption** Wallet Must be opened

RMAN> RUN {

# Set the RMAN Encryption
CONFIGURE ENCRYPTION FOR DATABASE ON ;

# Backup the database
BACKUP DATABASE ;
}

Database Backup Encrypted using Password Encryption Only

RMAN> RUN {
# Set password Encryption
SET ENCRYPTION ON IDENTIFIED BY ONLY ;

# Backup the database
BACKUP DATABASE ;
}


Database Backup Encrypted using Password Encryption or Wallet Encryption

RMAN> RUN {
# Set password Encryption
SET ENCRYPTION ON IDENTIFIED BY ;

# Backup the database
BACKUP DATABASE ;
}


Tablespace Backup Encryption

RMAN> RUN {
# First, clear the current RMAN encryption settings ...
CONFIGURE ENCRYPTION FOR DATABASE OFF ;

# ... then activate encryption for specific tablespaces
CONFIGURE ENCRYPTION FOR TABLESPACE example ON;
CONFIGURE ENCRYPTION FOR TABLESPACE tbs_encrypted ON;

BACKUP TABLESPACE example, tbs_encrypted;
}


Restore Encrypted RMAN Backup

Transparent Encryption Restore


RMAN> RUN {
RESTORE DATABASE ;
RECOVER DATABASE ;
}


Password Encryption Restore

RMAN> RUN {
SET DECRYPTION IDENTIFIED BY ;
RESTORE DATABASE ;
RECOVER DATABASE ;
}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)