Methods for the encryption of Rman backup sets in Oracle

Data security is more and more important, not to say that your production database security, your data must be safe, Rman backup is also an important place to leak data, if someone else got your backup set, same as the intrusion of your production library. For Rman backups to be secure, the easiest way to do this is to set the password in the Rman backup process using the Set encryption, which requires version 10.2 and later Enterprise Edition, and if you need to back up to the library, you can only use Oracle's own OSB (Oracle Secure Backup), note that Rman only backupset can be encrypted and copy cannot be encrypted
Database version

Sql> select * from V$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition release 11.2.0.4.0-64bit Production
Pl/sql Release 11.2.0.4.0-production
CORE 11.2.0.4.0 Production
TNS for Linux:version 11.2.0.4.0-production
Nlsrtl Version 11.2.0.4.0-production

Sql> Show parameter Compatible

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
Compatible string 11.2.0.4.0

Support Rman Encryption algorithm

Sql> Select Algorithm_name
2 from V$rman_encryption_algorithms;

Algorithm_name
----------------------------------------------------------------
AES128
AES192
AES256

Adjust the encryption algorithm

Rman> Show encryption algorithm;

RMAN configuration parameters for database with Db_unique_name ORCL are:
CONFIGURE encryption algorithm ' AES128 '; # Default

rman> CONFIGURE encryption algorithm ' AES256 ';

New RMAN configuration parameters:
CONFIGURE encryption algorithm ' AES256 ';
New RMAN configuration parameters are successfully stored

Rman> Show encryption algorithm;

Using target database control file instead of recovery catalog
RMAN configuration parameters for database with Db_unique_name ORCL are:
CONFIGURE encryption algorithm ' AES256 ';

Create a new test data file

What we're testing here is a cryptographic backup and restore of the newly created 5th file.
Sql> select name from V$datafile;

NAME
--------------------------------------------------------------------------------
/u01/app/oracle/oradata/orcl/system01.dbf
/u01/app/oracle/oradata/orcl/sysaux01.dbf
/u01/app/oracle/oradata/orcl/undotbs01.dbf
/u01/app/oracle/oradata/orcl/users01.dbf

sql> Create tablespace Rman_xifenfei datafile
2 '/u01/app/oracle/oradata/orcl/xifenfei01.dbf ' size 100M;

Tablespace created.

Sql> select File#,name from V$datafile;

file# NAME
---------- --------------------------------------------------
1/u01/app/oracle/oradata/orcl/system01.dbf
2/u01/app/oracle/oradata/orcl/sysaux01.dbf
3/u01/app/oracle/oradata/orcl/undotbs01.dbf
4/u01/app/oracle/oradata/orcl/users01.dbf
5/u01/app/oracle/oradata/orcl/xifenfei01.dbf

Sql> CREATE TABLE Chf.t_xifenfei tablespace Rman_xifenfei
2 AS SELECT * from Dba_objects;

Table created.

Sql> Select COUNT (*) from Chf.t_xifenfei;

COUNT (*)
----------
86721

Rman Encrypted Backup

Rman> set encryption on identified by ' www.111cn.net ' only;

Executing command:set encryption

rman> backup datafile 5;

Starting backup at 28-jan-15
Allocated Channel:ora_disk_1
Channel ora_disk_1:sid=5 Device Type=disk
Channel ora_disk_1:starting full DataFile backup set
Channel ora_disk_1:specifying DataFile (s) in backup set
Input datafile file number=00005 name=/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ora_disk_1:starting piece 1 at 28-jan-15
Channel ora_disk_1:finished piece 1 at 28-jan-15
Piece HANDLE=/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP tag=tag20150128t230115 Comment=NONE
Channel Ora_disk_1:backup set complete, elapsed time:00:00:01
Finished backup at 28-jan-15

Prepare for recovery test

rman> SQL ' ALTER DATABASE datafile 5 offline ';

SQL Statement:alter database datafile 5 offline

[Oracle@localhost ~]$ rm/u01/app/oracle/oradata/orcl/xifenfei01.dbf
[Oracle@localhost ~]$ ls/u01/app/oracle/oradata/orcl/xifenfei01.dbf
LS:/u01/app/oracle/oradata/orcl/xifenfei01.dbf:no such file or directory

Rman Recovery Test

[Oracle@localhost ~]$ Rman Target/

Recovery manager:release 11.2.0.4.0-production on Wed 28 23:02:24 2015

Copyright (c) 1982, Oracle and/or its affiliates. All rights reserved.

Connected to target DATABASE:ORCL (dbid=1378620768)

Rman> list Backup of datafile 5;

Using target database control file instead of recovery catalog

List of Backup Sets
===================

BS Key Type LV Size Device Type Elapsed Time Completion time
------- ---- -- ---------- ----------- ------------ ---------------
1 full 10.94M DISK 00:00:01 28-jan-15
BP key:1 status:available Compressed:no tag:tag20150128t230115
Piece Name:/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
List of Datafiles in Backup set 1
File LV Type Ckp SCN Ckp time Name
---- -- ---- ---------- --------- ----
5 Full 54057180 28-JAN-15/U01/APP/ORACLE/ORADATA/ORCL/XIFENFEI01.DBF

--No password entered

rman> restore DataFile 5;

Starting restore at 28-jan-15
Allocated Channel:ora_disk_1
Channel ora_disk_1:sid=492 Device Type=disk

Channel ora_disk_1:starting datafile backup set restore
Channel ora_disk_1:specifying DataFile (s) to restore from backup set
Channel ora_disk_1:restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ora_disk_1:reading from backup PIECE/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR message STACK follows ===============
RMAN-00571: ===========================================================
Rman-03002:failure of Restore command at 01/28/2015 23:02:52
Ora-19870:error while restoring backup PIECE/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
Ora-19913:unable to decrypt Backup
Ora-28365:wallet is not open

--Set the wrong password

Rman> SET decryption identified by ' www.orasos.com ';

Executing Command:set decryption

rman> restore DataFile 5;

Starting restore at 28-jan-15
Using channel Ora_disk_1

Channel ora_disk_1:starting datafile backup set restore
Channel ora_disk_1:specifying DataFile (s) to restore from backup set
Channel ora_disk_1:restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ora_disk_1:reading from backup PIECE/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR message STACK follows ===============
RMAN-00571: ===========================================================
Rman-03002:failure of Restore command at 01/28/2015 23:03:31
Ora-19870:error while restoring backup PIECE/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
Ora-19913:unable to decrypt Backup
Ora-28365:wallet is not open

--Set the correct password

Rman> SET decryption identified by ' www.111cn.net ';

Executing Command:set decryption

rman> restore DataFile 5;

Starting restore at 28-jan-15
Using channel Ora_disk_1

Channel ora_disk_1:starting datafile backup set restore
Channel ora_disk_1:specifying DataFile (s) to restore from backup set
Channel ora_disk_1:restoring datafile 00005 to/u01/app/oracle/oradata/orcl/xifenfei01.dbf
Channel ora_disk_1:reading from backup PIECE/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP
Channel Ora_disk_1:piece HANDLE=/U01/2015_01_28/O1_MF_NNNDF_TAG20150128T230115_BDKYFVLW_.BKP tag= tag20150128t230115
Channel ora_disk_1:restored backup Piece 1
Channel Ora_disk_1:restore complete, elapsed time:00:00:01
Finished restore at 28-jan-15
Verifying data restore
rman> recover datafile 5;

Starting recover at 28-jan-15
Using target database control file instead of recovery catalog
Allocated Channel:ora_disk_1
Channel ora_disk_1:sid=7 Device Type=disk

Starting Media recovery
Media recovery complete, elapsed time:00:00:00

Finished recover at 28-jan-15

rman> SQL ' ALTER DATABASE datafile 5 online ';

SQL Statement:alter database datafile 5 Online

Rman> exit

Recovery Manager complete.
[Oracle@localhost ~]$ Sqlplus/as SYSDBA

Sql*plus:release 11.2.0.4.0 Production on Wed 28 23:05:55 2015

Copyright (c) 1982, 2013, Oracle. All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition release 11.2.0.4.0-64bit Production
With the partitioning, OLAP, Data Mining and real application testing options

Sql> Select COUNT (*) from Chf.t_xifenfei;

COUNT (*)
----------
86721

At this point we can see that the simplest Rman encrypted backup and encryption recovery test is complete, and the backup set is secured if the backup set is not entered or the wrong input password is used after the set encryption encryption.