How to encrypt rman backup sets in oracle

How to encrypt rman backup sets in oracle

Let's take a look at an oracle rman backup set encryption method. I hope this example will help you.

 

Data security is becoming more and more important. It doesn't mean that your production database is secure and your data is secure. rman backup is also an important part of data leakage. If someone else gets your backup set, it is the same as intruding your production database. To ensure the security of rman backup, the simplest way is to use the set encryption method to set the password during the rman backup process. The version must be 10.2 or later, in addition, if you need to back up data to the database, you can only use oracle's own osb (Oracle Secure Backup). Note that only the backupset of rman can be encrypted, and copy cannot be encrypted.
Database Version

SQL> select * from v $ version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-64bit Production
PL/SQL Release 11.2.0.4.0-Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0-Production
NLSRTL Version 11.2.0.4.0-Production

SQL> show parameter compatible

NAME TYPE VALUE
-----------------------------------------------------------------------------
Compatible string 11.2.0.4.0

Support for rman encryption algorithms

SQL> select ALGORITHM_NAME
2 from V $ RMAN_ENCRYPTION_ALGORITHMS;

ALGORITHM_NAME
----------------------------------------------------------------
AES128
AES192
AES256

Adjust the encryption algorithm

RMAN> show encryption algorithm;

RMAN configuration parameters for database with db_unique_name ORCL are:
Configure encryption algorithm 'aes128 '; # default

RMAN> configure encryption algorithm 'aes256 ';

New RMAN configuration parameters:
Configure encryption algorithm 'aes256 ';
New RMAN configuration parameters are successfully stored

RMAN> show encryption algorithm;

Using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name ORCL are:
Configure encryption algorithm 'aes256 ';

Create a new test data file

Here we test the encrypted backup and restoration of the newly created No. 5 file.
SQL> select name from v $ datafile;

NAME
--------------------------------------------------------------------------------
/U01/app/oracle/oradata/orcl/system01.dbf
/U01/app/oracle/oradata/orcl/sysaux01.dbf
/U01/app/oracle/oradata/orcl/undotbs01.dbf
/U01/app/oracle/oradata/orcl/users01.dbf

SQL> create tablespace rman_xifenfei datafile
2 '/u01/app/oracle/oradata/orcl/xifenfei01.dbf' size 100 M;

Tablespace created.

SQL> select file #, name from v $ datafile;

FILE # NAME
------------------------------------------------------------
1/u01/app/oracle/oradata/orcl/system01.dbf
2/u01/app/oracle/oradata/orcl/sysaux01.dbf
3/u01/app/oracle/oradata/orcl/undotbs01.dbf
4/u01/app/oracle/oradata/orcl/users01.dbf
5/u01/app/oracle/oradata/orcl/xifenfei01.dbf

SQL> create table chf. t_xifenfei tablespace rman_xifenfei
2 as select * from dba_objects;

Table created.

SQL> select count (*) from chf. t_xifenfei;

COUNT (*)
----------
86721

Rman encrypted backup

RMAN> set encryption on identified by 'www .111cn.net 'only;

Executing command: SET encryption

RMAN> backup datafile 5;

Starting backup at 28-JAN-15
Allocated channel: ORA_DISK_1
Channel ORA_DISK_1: SID = 5 device type = DISK
Channel ORA_DISK_1: starting full datafile backup set
Channel ORA_DISK_1: specifying datafile (s) in backup set
Input datafile file number = 00005 name =/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ORA_DISK_1: starting piece 1 at 28-JAN-15
Channel ORA_DISK_1: finished piece 1 at 28-JAN-15
Piece handle =/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp tag = TAG20150128T230115 comment = NONE
Channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 28-JAN-15

Prepare for recovery test

RMAN> SQL 'alter database datafile 5 offline ';

SQL statement: alter database datafile 5 offline

[Oracle @ localhost ~] $ Rm/u01/app/oracle/oradata/orcl/xifenfei01.dbf
[Oracle @ localhost ~] $ Ls/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Ls:/u01/app/oracle/oradata/orcl/xifenfei01.dbf: No such file or directory

Rman recovery test

[Oracle @ localhost ~] $ Rman target/

Recovery Manager: Release 11.2.0.4.0-Production on Wed Jan 28 23:02:24 2015

Copyright (c) 1982,201 1, Oracle and/or its affiliates. All rights reserved.

Connected to target database: ORCL (DBID = 1378620768)

RMAN> list backup of datafile 5;

Using target database control file instead of recovery catalog

List of Backup Sets
==============================

BS Key Type LV Size Device Type Elapsed Time Completion Time
-------------------------------------------------------------
1 Full 10.94 m disk 00:00:01 28-JAN-15
BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20150128T230115
Piece Name:/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
List of Datafiles in backup set 1
File LV Type Ckp SCN Ckp Time Name
---------------------------------
5 Full 54057180 28-JAN-15/u01/app/oracle/oradata/orcl/xifenfei01.dbf

-- No password entered

RMAN> restore datafile 5;

Starting restore at 28-JAN-15
Allocated channel: ORA_DISK_1
Channel ORA_DISK_1: SID = 492 device type = DISK

Channel ORA_DISK_1: starting datafile backup set restore
Channel ORA_DISK_1: specifying datafile (s) to restore from backup set
Channel ORA_DISK_1: restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ORA_DISK_1: reading from backup piece/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
RMAN-00571: ========================================================== ==============================
RMAN-00569: ==================== error message stack follows ==========================
RMAN-00571: ========================================================== ==============================
RMAN-03002: failure of restore command at 01/28/2015 23:02:52
ORA-19870: error while restoring backup piece/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

-- Set the wrong password

RMAN> set decryption identified by 'www .orasos.com ';

Executing command: SET decryption

RMAN> restore datafile 5;

Starting restore at 28-JAN-15
Using channel ORA_DISK_1

Channel ORA_DISK_1: starting datafile backup set restore
Channel ORA_DISK_1: specifying datafile (s) to restore from backup set
Channel ORA_DISK_1: restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ORA_DISK_1: reading from backup piece/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
RMAN-00571: ========================================================== ==============================
RMAN-00569: ==================== error message stack follows ==========================
RMAN-00571: ========================================================== ==============================
RMAN-03002: failure of restore command at 01/28/2015 23:03:31
ORA-19870: error while restoring backup piece/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

-- Set the correct password

RMAN> set decryption identified by 'www .111cn.net ';

Executing command: SET decryption

RMAN> restore datafile 5;

Starting restore at 28-JAN-15
Using channel ORA_DISK_1

Channel ORA_DISK_1: starting datafile backup set restore
Channel ORA_DISK_1: specifying datafile (s) to restore from backup set
Channel ORA_DISK_1: restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ORA_DISK_1: reading from backup piece/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp
Channel ORA_DISK_1: piece handle =/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw _. bkp tag = TAG20150128T230115
Channel ORA_DISK_1: restored backup piece 1
Channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 28-JAN-15
Verify data restoration
RMAN> recover datafile 5;

Starting recover at 28-JAN-15
Using target database control file instead of recovery catalog
Allocated channel: ORA_DISK_1
Channel ORA_DISK_1: SID = 7 device type = DISK

Starting media recovery
Media recovery complete, elapsed time: 00:00:00

Finished recover at 28-JAN-15

RMAN> SQL 'alter database datafile 5 online ';

SQL statement: alter database datafile 5 online

RMAN> exit

Recovery Manager complete.
[Oracle @ localhost ~] $ Sqlplus/as sysdba

SQL * Plus: Release 11.2.0.4.0 Production on Wed Jan 28 23:05:55 2015

Copyright (c) 1982,201 3, Oracle. All rights reserved.

Connected:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select count (*) from chf. t_xifenfei;

COUNT (*)
----------
86721

Now we can see that the simplest test of rman encrypted backup and encryption recovery is complete. After using set encryption, if you do not enter or enter a wrong password, you cannot use the backup set, this ensures the security of the Backup set.