Pythian Blog: Technical Track

Encryption RMAN Backup

There are 2 configurable items related with RMAN encryption backup :

CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

And there’s a snippet in Oracle Document:

  • To create encrypted backups on disk, the database must use the Advanced Security Option.
  • To create encrypted backups directly on tape, RMAN must use the Oracle Secure Backup SBT interface, but does not require the Advanced Security Option.

Here’s a test scenario of encryption RMAN backup sets on disk:

1) use Oracle Wallet Manager to store the encryption key

Add the following to sqlnet.ora on the host that you are backing up:

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
        (DIRECTORY = /u01/app/oracle/admin/ORCL/wallet)
    )
)

2) create a wallet used by transparent data encryption

If no wallet exists in the default or specified locations, transparent data encryption creates a wallet when setting the master key for the first time. A wallet is not be created if the WALLET_LOCATION parameter in the sqlnet.ora file does not specify a valid path.
The password specified in the SQL command for setting the master key becomes the password to open the wallet.

SQL> alter system set encryption key identified by "SuperSecret";

System altered.
[oracle@ottawa3 admin]$ ls -ltr /u01/app/oracle/admin/ORCL/wallet
total 8
-rw-r--r-- 1 oracle oinstall 1573 Jan 11 14:51 ewallet.p12

set linesize 120
col wrl_parameter format a45
select * from v$encryption_wallet;

WRL_TYPE             WRL_PARAMETER                                 STATUS
-------------------- --------------------------------------------- ------------------
file                 /u01/app/oracle/admin/ORCL/wallet             OPEN

In case of a DB bounce, wallet needs to be re-opened :

alter system set encryption wallet open identified by "SuperSecret";

3) configure RMAN to use encryption

CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # this is the default encryption algorithm, for other available algorithms refer to v$rman_encryption_algorithm

4) test encryption

First disable encryption backup, take a full backup of DB, insert some words into DB, take a in incremental backup, these words can be find by hexdump -C $backup_set_handle | grep … ;
Then enable encryption backup, insert some new words, search the new backup set handle by hexdump returns nothing this time :

backup incremental level 0 database;

CONFIGURE ENCRYPTION FOR DATABASE OFF;
insert into scott.dept (deptno, dname, loc) values (91, 'encryption','test1');
backup incremental level 1 CUMULATIVE database;
[oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T180044_6lz10y13_.bkp | grep encryption
00023f30  02 c1 5c 0a 65 6e 63 72  79 70 74 69 6f 6e 05 74  |..\.encryption.t|

CONFIGURE ENCRYPTION FOR DATABASE ON;
insert into scott.dept (deptno, dname, loc) values (92, 'Superencryp','test2');
backup incremental level 1 CUMULATIVE database;
[oracle@ottawa3]$ hexdump -C o1_mf_nnnd1_TAG20110113T181345_6lz1sbbb_.bkp | grep Superencryp
[oracle@ottawa3]$

5) restore backup

Need to make sure wallet is open.
If restore to another server, need to copy wallet file, set ENCRYPTION_WALLET_LOCATION , and open wallet.
if you try to restore backup to a standby database, you will get following error when opening the wallet in mount mode: :

SQL> alter system set encryption key identified by "SuperSecret";
alter system set encryption key identified by "SuperSecret"
*
ERROR at line 1:
ORA-28388: database is not open in read/write mode

6) when there’s a standby

if encryption RMAN backup is enabled on primary , MRP process on standby will stopped with error :

ORA-28365: wallet is not open

as per MOS note : Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2 [ID 389958.1] to make transparent data encryption work with physical standby, you need to

  • copy wallet file manually
  • specify ENCRYPTION_WALLET_LOCATION
  • set the wallet in auto-login mode : orapki wallet create -wallet “wallet_location” -auto_login -pwd “……”

No Comments Yet

Let us know what you think

Subscribe by email