oracle backup encryption
oracle backup encryption oracle 支持对备份集backupset的加密备份。可以使用基于wallet-based transparent encryption 和 password-based encryption, 或者两者同时。 使用时,可以通 过CONFIGURE ENCRYPTION为备份与设定默认的加密方式,也可以通过SET EN
oracle backup encryption
oracle 支持对备份集backupset的加密备份。可以使用基于wallet-based transparent encryption 和 password-based encryption, 或者两者同时。
使用时,可以通过CONFIGURE ENCRYPTION为备份与设定默认的加密方式,也可以通过SET ENCRYPTION在RMAN 会话级设定基于密码的加密。
通常来讲,Wallet-based encryption比password-based encryption会更加安全,因为
Wallet-based encryption
过程中,不会涉及密码的使用。如果是需要传输备份来异机恢复,则可以使用基于密码的 password-based encryption.
##整理自官网http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG10142
官网的一些概念描述:
About Backup Encryption
The V$RMAN_ENCRYPTION_ALGORITHMS view contains a list of encryption algorithms supported by RMAN. If no encryption algorithm is specified, then the default encryption
algorithm is 128-bit Advanced Encryption Standard (AES). RMAN encryption requires theCOMPATIBLE
initialization parameter at a target database to be at least10.2.0.
RMAN offers the following encryption modes:
-
Transparent Encryption of Backups
This is the default mode and uses the Oracle wallet. A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.
-
Password Encryption of Backups
This mode uses only password protection. You must provide a password when creating and restoring encrypted backups.
-
Dual Mode Encryption of Backups
This mode requires either the wallet or a password. #both transparent encryption and password encrypiton
Note:
Wallet-based encryption is more secure than password-based encryption because no passwords are involved. You should use password-based encryption only when it is absolutely necessary because your backups must be transportable.Encrypted backups are decrypted automatically during restore and recovery, if the required decryption keys are available. Each backup set gets a separate key.The key is stored in encrypted form in the backup piece. The backup is decrypted with keys obtained with a user-supplied password or the Oracle wallet.
#加密备份在还原的时候,自动解密,解密的密钥以加密的形式存储在备份片中,每个备份片使用不同的加密和不同的密钥
To create encrypted backups on disk with RMAN, the database must use the Advanced Security Option.TheOracle
Secure Backup
SBT is the only supported interface for making encrypted RMAN backups directly to tape. RMAN issues anORA-19916
error if you attempt to create encrypted RMAN backups using an SBT library other than
Oracle Secure Backup.The Advanced Security Option isnot required when making encrypted backups using the Oracle Secure Backup SBT.
#需要在磁盘上创建encryption backups,需要使用 高级安全选项(Advanced Security Option);若果需要在磁带上建立encryption backups,则必须使用Oracle
Secure Backup SBT,而且不要求 高级安全选项(Advanced Security Option)。
When you use the
BACKUP
BACKUPSET
command with encrypted backup sets, the backup sets are backed up in encrypted form. BecauseBACKUP
BACKUPSET
copies an encrypted backup set to disk or tape, no decryption key is needed
duringBACKUP
BACKUPSET
. The data is never decrypted during any part of the operation. TheBACKUP
BACKUPSET
command can neither encrypt nor decrypt backup sets.#在backup backupset 命令时,不使用任何的加密手段。
Transparent Encryption of Backups
When you use transparent encryption, you must first configure an Oracle wallet for each database, as described inOracle Database Advanced Security Administrator's Guide. Transparent backup encryption supports both the encrypted and autologin forms of the Oracle wallet. When you use the Oracle wallet, the wallet must be opened before you can perform backup encryption. When you use the autologin wallet, encrypted backup operations can be done at any time, because the autologin wallet is always open.
#使用transparent encryption前,必须先配置一个Oracle wallet,而且Oracle wallet必须在备份加密操作之前将其打开。
Password Encryption of Backups
Password encryption requires that the DBA provide a password when creating and restoring encrypted backups. Restoring a password-encrypted backup requires the same password that was used to create the backup.
#Password encryption 在创建的时候提供密码,在还原的时候提供相同的密码;不需要预设定,只需在执行加密备份的时候,提供密码即可为RMAN 配置加密模式
可以用configure 和set 两种方法分布在数据库级 和rman会话级配置加密。而且set配置,可以覆盖原本的configure配置的加密模式。
CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION FOR DATABASE OFF;
SET ENCRYPTION ON;
SET ENCRYPTION OFF;
配置加密算法
You can use the CONFIGURE
command to persistently configure the default algorithm to use for encryption when writing backup sets. Possible values are listedinV$RMAN_ENCRYPTION_ALGORITHMS
.The
default algorithm is AES 128-bit.
To configure the default backup encryption algorithm:
-
Start RMAN and connect to a target database and a recovery catalog (if used).
-
Ensure that the target database is mounted or open.
-
Execute the
CONFIGURE ENCRYPTION ALGORITHM
command, specifying a valid value fromV$RMAN_ENCRYPTION_ALGORITHMS.ALGORITHM_NAME
.The following example configures the algorithm to AES 256-bit encryption:
CONFIGURE ENCRYPTION ALGORITHM TO 'AES256';
Enabling Transparent Data Encryption(TDE)
TDE column encryption was first introduced in Oracle Database 10g release 2 (10.2). To use this feature, you must be running Oracle Database 10g release 2 (10.2) or higher.
TDE tablespace encryption was introduced in Oracle Database 11g release 1 (11.1). To use this feature, you must be running Oracle Database 11g release 1 (11.1) or higher.
To start using TDE, the security administrator must create a wallet and set a master key. The wallet can be the default database wallet shared with other Oracle Database components, or a separate wallet specifically used by TDE. Oracle strongly recommends
that you use a separate wallet to store the master encryption key.
Specifying a Wallet Location for Transparent Data Encryption
If you wish to use a wallet specifically for TDE, then you must specify a wallet location in thesqlnet.ora
file by using theENCRYPTION_WALLET_LOCATION
parameter. Oracle recommends that you use theENCRYPTION_WALLET_LOCATION
parameter to specify a wallet location for TDE.
See Also:
"Sample sqlnet.ora File"for an example of the syntax used to set this parameter#1、建立一个wallet目录 /etc/ORACLE/WALLETS/oracle
#2、然后在sqlnet.ora文件中加入目录路径描述:
ENCRYPTION_WALLET_LOCATION = (SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY =
/etc/ORACLE/WALLETS/oracle)))
Setting the Master Encryption Key
Before you can encrypt or decrypt database columns or tablespaces, you must generate a master encryption key. Oracle Database 11g Release 2 (11.2) uses the same master encryption key for both TDE column encryption and TDE tablespace encryption.
To set the master encryption key, use the following command:
#3、设置主密钥
SQL> ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY "password"
#加密钱夹的打开与关闭
Opening and Closing the Encrypted Wallet
The database must load the master encryption key into memory before it can encrypt or decrypt columns/tablespaces. Opening the wallet allows the database to access the master encryption key. Use the followingALTER SYSTEM
command to explicitly
open the wallet:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"
Using Wallets with Automatic Login Enabled
The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.
You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created.
ALTER SYSTEM SET ENCRYPTION WALLET CLOSE#No password is required to close an auto login wallet.
password-encryption
SET DECRYPTION IDENTIFIED BY password;
#备份加密、恢复的一些测试
可以用如下的方法打开加密备份方式:
1)RMAN> set encryption on identified by 'password' only;
2)RMAN> set encryption on identified by 'password';
3)RMAN> configure encryption for database on;
4)RMAN> set encryption on;
#Transparent Data Encryption Testing
SQL> alter system set encryption wallet open identified by oracle; System altered. RMAN> configure encryption for database on; new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored RMAN> backup tablespace users05; Starting backup at 09-NOV-13 using channel ORA_DISK_1 channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set input datafile file number=00009 name=/u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: starting piece 1 at 09-NOV-13 channel ORA_DISK_1: finished piece 1 at 09-NOV-13 piece handle=/u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp tag=TAG20131109T224327 comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02 Finished backup at 09-NOV-13 #为测试恢复时的效果,关闭encryption wallet RMAN> sql 'alter system set encryption wallet close identified by oracle'; sql statement: alter system set encryption wallet close identified by oracle #手动删除数据文件,并将其状态修改为offline SQL> alter database datafile 9 offline; Database altered. RMAN> restore datafile 9; Starting restore at 09-NOV-13 using channel ORA_DISK_1 channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of restore command at 11/09/2013 22:45:54 ORA-19870: error while restoring backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp ORA-19913: unable to decrypt backup ORA-28365: wallet is not open #打开encryption wallet,然后再次恢复数据文件 RMAN> sql 'alter system set encryption wallet open identified by oracle'; sql statement: alter system set encryption wallet open identified by oracle RMAN> restore datafile 9; Starting restore at 09-NOV-13 using channel ORA_DISK_1 channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp channel ORA_DISK_1: piece handle=/u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp tag=TAG20131109T224327 channel ORA_DISK_1: restored backup piece 1 channel ORA_DISK_1: restore complete, elapsed time: 00:00:07 Finished restore at 09-NOV-13
#Password Encryption Testing
#开启密码备份加密
RMAN> set encryption on identified by linusfay only; executing command: SET encryption RMAN> backup database format '/u01/app/oracle/full%d_%s.bak'; Starting backup at 09-NOV-13 using channel ORA_DISK_1 channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set input datafile file number=00001 name=/u01/app/oracle/oradata/orcl/system01.dbf input datafile file number=00002 name=/u01/app/oracle/oradata/orcl/sysaux01.dbf input datafile file number=00005 name=/u01/app/oracle/oradata/orcl/example01.dbf input datafile file number=00003 name=/u01/app/oracle/oradata/orcl/undotbs01.dbf input datafile file number=00004 name=/u01/app/oracle/oradata/orcl/users01.dbf input datafile file number=00006 name=/u01/app/oracle/oradata/orcl/users02.dbf input datafile file number=00007 name=/u01/app/oracle/oradata/orcl/users03.dbf input datafile file number=00008 name=/u01/app/oracle/oradata/orcl/users04.dbf input datafile file number=00009 name=/u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: starting piece 1 at 09-NOV-13 channel ORA_DISK_1: finished piece 1 at 09-NOV-13 piece handle=/u01/app/oracle/fullORCL_173.bak tag=TAG20131109T233147 comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:02:35 channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set including current control file in backup set including current SPFILE in backup set channel ORA_DISK_1: starting piece 1 at 09-NOV-13 channel ORA_DISK_1: finished piece 1 at 09-NOV-13 piece handle=/u01/app/oracle/fullORCL_174.bak tag=TAG20131109T233147 comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02 Finished backup at 09-NOV-13 #关闭数据库,毁坏数据文件 SQL> shutdown immediate Database closed. Database dismounted. ORACLE instance shut down. #试图直接恢复数据文件 RMAN> restore database; Starting restore at 09-NOV-13 using target database control file instead of recovery catalog allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=10 device type=DISK channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00001 to /u01/app/oracle/oradata/orcl/system01.dbf channel ORA_DISK_1: restoring datafile 00002 to /u01/app/oracle/oradata/orcl/sysaux01.dbf channel ORA_DISK_1: restoring datafile 00003 to /u01/app/oracle/oradata/orcl/undotbs01.dbf channel ORA_DISK_1: restoring datafile 00004 to /u01/app/oracle/oradata/orcl/users01.dbf channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/example01.dbf channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/orcl/users02.dbf channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/orcl/users03.dbf channel ORA_DISK_1: restoring datafile 00008 to /u01/app/oracle/oradata/orcl/users04.dbf channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fullORCL_173.bak RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of restore command at 11/09/2013 23:40:55 ORA-19870: error while restoring backup piece /u01/app/oracle/fullORCL_173.bak ORA-19913: unable to decrypt backup ORA-28365: wallet is not open #设置解密恢复 RMAN> set decryption identified by linusfay ; executing command: SET decryption RMAN> restore database; Starting restore at 09-NOV-13 using channel ORA_DISK_1 channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00001 to /u01/app/oracle/oradata/orcl/system01.dbf channel ORA_DISK_1: restoring datafile 00002 to /u01/app/oracle/oradata/orcl/sysaux01.dbf channel ORA_DISK_1: restoring datafile 00003 to /u01/app/oracle/oradata/orcl/undotbs01.dbf channel ORA_DISK_1: restoring datafile 00004 to /u01/app/oracle/oradata/orcl/users01.dbf channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/example01.dbf channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/orcl/users02.dbf channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/orcl/users03.dbf channel ORA_DISK_1: restoring datafile 00008 to /u01/app/oracle/oradata/orcl/users04.dbf channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fullORCL_173.bak channel ORA_DISK_1: piece handle=/u01/app/oracle/fullORCL_173.bak tag=TAG20131109T233147 channel ORA_DISK_1: restored backup piece 1 channel ORA_DISK_1: restore complete, elapsed time: 00:02:46 Finished restore at 09-NOV-13