欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  数据库

oracle backup encryption

程序员文章站 2024-01-12 16:51:16
...

oracle backup encryption oracle 支持对备份集backupset的加密备份。可以使用基于wallet-based transparent encryption 和 password-based encryption, 或者两者同时。 使用时,可以通 过CONFIGURE ENCRYPTION为备份与设定默认的加密方式,也可以通过SET EN

oracle backup encryption

oracle 支持对备份集backupset的加密备份。可以使用基于wallet-based transparent encryption 和 password-based encryption, 或者两者同时。

使用时,可以通过CONFIGURE ENCRYPTION为备份与设定默认的加密方式,也可以通过SET ENCRYPTION在RMAN 会话级设定基于密码的加密。

通常来讲,Wallet-based encryption比password-based encryption会更加安全,因为Wallet-based encryption过程中,不会涉及密码的使用。如果是需要传输备份来异机恢复,则可以使用基于密码的 password-based encryption.

##整理自官网http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG10142

官网的一些概念描述:

About Backup Encryption

The V$RMAN_ENCRYPTION_ALGORITHMS view contains a list of encryption algorithms supported by RMAN. If no encryption algorithm is specified, then the default encryption algorithm is 128-bit Advanced Encryption Standard (AES). RMAN encryption requires theCOMPATIBLE initialization parameter at a target database to be at least10.2.0.

RMAN offers the following encryption modes:

  • Transparent Encryption of Backups

    This is the default mode and uses the Oracle wallet. A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.

  • Password Encryption of Backups

    This mode uses only password protection. You must provide a password when creating and restoring encrypted backups.

  • Dual Mode Encryption of Backups

    This mode requires either the wallet or a password. #both transparent encryption and password encrypiton

Note:

Wallet-based encryption is more secure than password-based encryption because no passwords are involved. You should use password-based encryption only when it is absolutely necessary because your backups must be transportable.

Encrypted backups are decrypted automatically during restore and recovery, if the required decryption keys are available. Each backup set gets a separate key.The key is stored in encrypted form in the backup piece. The backup is decrypted with keys obtained with a user-supplied password or the Oracle wallet.

#加密备份在还原的时候,自动解密,解密的密钥以加密的形式存储在备份片中,每个备份片使用不同的加密和不同的密钥

To create encrypted backups on disk with RMAN, the database must use the Advanced Security Option.TheOracle Secure Backup SBT is the only supported interface for making encrypted RMAN backups directly to tape. RMAN issues anORA-19916 error if you attempt to create encrypted RMAN backups using an SBT library other than Oracle Secure Backup.The Advanced Security Option isnot required when making encrypted backups using the Oracle Secure Backup SBT.

#需要在磁盘上创建encryption backups,需要使用 高级安全选项(Advanced Security Option);若果需要在磁带上建立encryption backups,则必须使用Oracle Secure Backup SBT,而且不要求 高级安全选项(Advanced Security Option)。


When you use the BACKUP BACKUPSET command with encrypted backup sets, the backup sets are backed up in encrypted form. BecauseBACKUPBACKUPSET copies an encrypted backup set to disk or tape, no decryption key is needed duringBACKUPBACKUPSET. The data is never decrypted during any part of the operation. TheBACKUPBACKUPSET command can neither encrypt nor decrypt backup sets.

#在backup backupset 命令时,不使用任何的加密手段。

Transparent Encryption of Backups

When you use transparent encryption, you must first configure an Oracle wallet for each database, as described inOracle Database Advanced Security Administrator's Guide. Transparent backup encryption supports both the encrypted and autologin forms of the Oracle wallet. When you use the Oracle wallet, the wallet must be opened before you can perform backup encryption. When you use the autologin wallet, encrypted backup operations can be done at any time, because the autologin wallet is always open.

#使用transparent encryption前,必须先配置一个Oracle wallet,而且Oracle wallet必须在备份加密操作之前将其打开。

Password Encryption of Backups

Password encryption requires that the DBA provide a password when creating and restoring encrypted backups. Restoring a password-encrypted backup requires the same password that was used to create the backup.

#Password encryption 在创建的时候提供密码,在还原的时候提供相同的密码;不需要预设定,只需在执行加密备份的时候,提供密码即可


为RMAN 配置加密模式

可以用configure 和set 两种方法分布在数据库级 和rman会话级配置加密。而且set配置,可以覆盖原本的configure配置的加密模式。

CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION FOR DATABASE OFF;
SET ENCRYPTION ON;
SET ENCRYPTION OFF;

配置加密算法

You can use the CONFIGURE command to persistently configure the default algorithm to use for encryption when writing backup sets. Possible values are listedinV$RMAN_ENCRYPTION_ALGORITHMS.The default algorithm is AES 128-bit.

To configure the default backup encryption algorithm:

  1. Start RMAN and connect to a target database and a recovery catalog (if used).

  2. Ensure that the target database is mounted or open.

  3. Execute the CONFIGURE ENCRYPTION ALGORITHM command, specifying a valid value fromV$RMAN_ENCRYPTION_ALGORITHMS.ALGORITHM_NAME.

    The following example configures the algorithm to AES 256-bit encryption:

    CONFIGURE ENCRYPTION ALGORITHM TO 'AES256';
    

Enabling Transparent Data Encryption(TDE)

TDE column encryption was first introduced in Oracle Database 10g release 2 (10.2). To use this feature, you must be running Oracle Database 10g release 2 (10.2) or higher.

TDE tablespace encryption was introduced in Oracle Database 11g release 1 (11.1). To use this feature, you must be running Oracle Database 11g release 1 (11.1) or higher.

To start using TDE, the security administrator must create a wallet and set a master key. The wallet can be the default database wallet shared with other Oracle Database components, or a separate wallet specifically used by TDE. Oracle strongly recommends that you use a separate wallet to store the master encryption key.

Specifying a Wallet Location for Transparent Data Encryption

If you wish to use a wallet specifically for TDE, then you must specify a wallet location in thesqlnet.ora file by using theENCRYPTION_WALLET_LOCATION parameter. Oracle recommends that you use theENCRYPTION_WALLET_LOCATION parameter to specify a wallet location for TDE.

See Also:

"Sample sqlnet.ora File"for an example of the syntax used to set this parameter

#1、建立一个wallet目录 /etc/ORACLE/WALLETS/oracle
#2、然后在sqlnet.ora文件中加入目录路径描述:

ENCRYPTION_WALLET_LOCATION = (SOURCE =
                                  (METHOD = FILE)
                                  (METHOD_DATA =
                                  (DIRECTORY =
                                   /etc/ORACLE/WALLETS/oracle)))

Setting the Master Encryption Key

Before you can encrypt or decrypt database columns or tablespaces, you must generate a master encryption key. Oracle Database 11g Release 2 (11.2) uses the same master encryption key for both TDE column encryption and TDE tablespace encryption.

To set the master encryption key, use the following command:

#3、设置主密钥

SQL> ALTER SYSTEM SET ENCRYPTION KEY ["certificate_ID"] IDENTIFIED BY "password"

#加密钱夹的打开与关闭

Opening and Closing the Encrypted Wallet

The database must load the master encryption key into memory before it can encrypt or decrypt columns/tablespaces. Opening the wallet allows the database to access the master encryption key. Use the followingALTER SYSTEM command to explicitly open the wallet:

SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "password"

Using Wallets with Automatic Login Enabled

The external security module can use wallets with the automatic login feature enabled. These wallets remain open all of the time. The security administrator does not have to reopen the wallet after a database instance has been restarted. If your environment does not require the extra security provided by a wallet that must be explicitly opened for use, then you may use an auto login wallet.

You can also choose to create a local auto login wallet. Local auto login wallets cannot be moved to another computer. They must be used on the host on which they are created.

ALTER SYSTEM SET ENCRYPTION WALLET CLOSE
#No password is required to close an auto login wallet.


password-encryption

SET DECRYPTION IDENTIFIED BY password;

#备份加密、恢复的一些测试

可以用如下的方法打开加密备份方式:

1)RMAN> set encryption on identified by 'password' only;

2)RMAN> set encryption on identified by 'password';

3)RMAN> configure encryption for database on;

4)RMAN> set encryption on;


#Transparent Data Encryption Testing

SQL> alter system set encryption wallet open identified by oracle;

System altered.

RMAN> configure encryption for database on;

new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored

RMAN> backup tablespace users05;

Starting backup at 09-NOV-13
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00009 name=/u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: starting piece 1 at 09-NOV-13
channel ORA_DISK_1: finished piece 1 at 09-NOV-13
piece handle=/u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp tag=TAG20131109T224327 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 09-NOV-13

#为测试恢复时的效果,关闭encryption wallet
RMAN> sql 'alter system set encryption wallet close identified by oracle';

sql statement: alter system set encryption wallet close identified by oracle

#手动删除数据文件,并将其状态修改为offline

SQL> alter database datafile 9 offline;

Database altered.


RMAN> restore datafile 9;

Starting restore at 09-NOV-13
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 11/09/2013 22:45:54
ORA-19870: error while restoring backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

#打开encryption wallet,然后再次恢复数据文件
RMAN> sql 'alter system set encryption wallet open identified by oracle';

sql statement: alter system set encryption wallet open identified by oracle


RMAN> restore datafile 9;

Starting restore at 09-NOV-13
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp
channel ORA_DISK_1: piece handle=/u01/app/oracle/fast_recovery_area/ORCL/backupset/2013_11_09/o1_mf_nnndf_TAG20131109T224327_97y06zyr_.bkp tag=TAG20131109T224327
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:07
Finished restore at 09-NOV-13


#Password Encryption Testing

#开启密码备份加密

RMAN> set encryption on identified by linusfay only;

executing command: SET encryption


RMAN> backup database format '/u01/app/oracle/full%d_%s.bak';

Starting backup at 09-NOV-13
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00001 name=/u01/app/oracle/oradata/orcl/system01.dbf
input datafile file number=00002 name=/u01/app/oracle/oradata/orcl/sysaux01.dbf
input datafile file number=00005 name=/u01/app/oracle/oradata/orcl/example01.dbf
input datafile file number=00003 name=/u01/app/oracle/oradata/orcl/undotbs01.dbf
input datafile file number=00004 name=/u01/app/oracle/oradata/orcl/users01.dbf
input datafile file number=00006 name=/u01/app/oracle/oradata/orcl/users02.dbf
input datafile file number=00007 name=/u01/app/oracle/oradata/orcl/users03.dbf
input datafile file number=00008 name=/u01/app/oracle/oradata/orcl/users04.dbf
input datafile file number=00009 name=/u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: starting piece 1 at 09-NOV-13
channel ORA_DISK_1: finished piece 1 at 09-NOV-13
piece handle=/u01/app/oracle/fullORCL_173.bak tag=TAG20131109T233147 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:02:35
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current control file in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 09-NOV-13
channel ORA_DISK_1: finished piece 1 at 09-NOV-13
piece handle=/u01/app/oracle/fullORCL_174.bak tag=TAG20131109T233147 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 09-NOV-13

#关闭数据库,毁坏数据文件

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

#试图直接恢复数据文件
RMAN> restore database;

Starting restore at 09-NOV-13
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=10 device type=DISK

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00001 to /u01/app/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: restoring datafile 00002 to /u01/app/oracle/oradata/orcl/sysaux01.dbf
channel ORA_DISK_1: restoring datafile 00003 to /u01/app/oracle/oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: restoring datafile 00004 to /u01/app/oracle/oradata/orcl/users01.dbf
channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/example01.dbf
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/orcl/users03.dbf
channel ORA_DISK_1: restoring datafile 00008 to /u01/app/oracle/oradata/orcl/users04.dbf
channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fullORCL_173.bak
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 11/09/2013 23:40:55
ORA-19870: error while restoring backup piece /u01/app/oracle/fullORCL_173.bak
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

#设置解密恢复
RMAN> set decryption identified by linusfay ;

executing command: SET decryption


RMAN> restore database;

Starting restore at 09-NOV-13
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00001 to /u01/app/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: restoring datafile 00002 to /u01/app/oracle/oradata/orcl/sysaux01.dbf
channel ORA_DISK_1: restoring datafile 00003 to /u01/app/oracle/oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: restoring datafile 00004 to /u01/app/oracle/oradata/orcl/users01.dbf
channel ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/example01.dbf
channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/orcl/users03.dbf
channel ORA_DISK_1: restoring datafile 00008 to /u01/app/oracle/oradata/orcl/users04.dbf
channel ORA_DISK_1: restoring datafile 00009 to /u01/app/oracle/oradata/orcl/users05.dbf
channel ORA_DISK_1: reading from backup piece /u01/app/oracle/fullORCL_173.bak
channel ORA_DISK_1: piece handle=/u01/app/oracle/fullORCL_173.bak tag=TAG20131109T233147
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:02:46
Finished restore at 09-NOV-13