Three rabbitlerman backup encryption policies

As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.

As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.

Data security, especially the security of enterprise core business data, is a common concern of the whole society today. From the end of the vigorous Ctrip service a few days ago, news of the deletion of the database, to the leakage of user accounts and passwords of Internet companies many times last year, they are constantly challenging the industry's tight nerves. In today's society, data is the reality that wealth is not a utopia, but a thorough Foundation. Loss of reputation and brand is hard to assess for enterprises that have experienced information leakage security incidents.

From the perspective of the information system, backup is the lifeblood of our DBA and our "back-to-hand ". As long as there is a backup, as long as the data is not lost, there is room for maneuver and space. Backup security is also important to all kinds of information security standards.

Backup security is mainly reflected in two aspects: Backup validity and backup is not used illegally. Backup effectiveness is a nightmare for O & M personnel. In critical cases, it is found that backup is not available or there are bad blocks, which is enough for O & M personnel to vomit blood. Backup is not used illegally. It ensures that the backup set data is not illegally restored to other environments.

As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.

1. Environment Introduction

I chose Oracle 11g for testing. The version number is 11.2.0.4.

SQL> select * from v $ version;

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-64bit Production

PL/SQL Release 11.2.0.4.0-Production

CORE 11.2.0.4.0 Production

TNS for Linux: Version 11.2.0.4.0-Production

NLSRTL Version 11.2.0.4.0-Production

Archive mode is enabled to use rman for hot backup.

SQL> select log_mode from v $ database;

LOG_MODE

------------

ARCHIVELOG

Three methods for RMAN backup security are password security, Oracle Wallet security, and hybrid encryption security.

-------------------------------------- Recommended reading --------------------------------------

RMAN: Configure an archive log deletion policy

Basic Oracle tutorial-copying a database through RMAN

Reference for RMAN backup policy formulation

RMAN backup learning notes

Oracle Database Backup encryption RMAN Encryption

-------------------------------------- Split line --------------------------------------

Three policies are described as follows:

2. Password Security

Password security, like its name, requires interactive password input during encryption and decryption. You can configure the password in the RMAN configuration.

RMAN> show encryption for database;

RMAN configuration parameters for database with db_unique_name SICSSTB are:

Configure encryption for database off; # default

RMAN> show encryption algorithm;

RMAN configuration parameters for database with db_unique_name SICSSTB are:

Configure encryption algorithm 'aes128 '; # default

By default, RMAN does not enable the encryption mechanism. The encryption problem must follow the encryption algorithm. The default encryption algorithm is AES128. View the view v $ RMAN_ENCRYPTION_ALGORITHMS. You can see the encryption algorithm that can be used currently.

SQL> select * from v $ rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_DEFAULT RESTORE_ONLY

--------------------------------------------------------------------------

1 AES128 AES 128-bit key YES NO

2 AES192 AES 192-bit key NO

3 AES256 AES 256-bit key NO

Use password encryption. First, use the set encryption command to set the password.

RMAN> set encryption on identified by 'test' only;

Executing command: SET encryption

RMAN> show encryption for database;

RMAN configuration parameters for database with db_unique_name SICSSTB are:

Configure encryption for database off; # default

Note that the only mark must be added.

Backup can be performed as follows:

RMAN> backup database plus archivelog;

Starting backup at 08-JUN-15

Current log archived

Allocated channel: ORA_DISK_1

Channel ORA_DISK_1: SID = 137 device type = DISK

Channel ORA_DISK_1: starting archived log backup set

Channel ORA_DISK_1: specifying archived log (s) in backup set

(Space reasons, omitted ......)

Starting Control File and SPFILE Autobackup at 08-JUN-15

Piece handle = + RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159 comment = NONE

Finished Control File and SPFILE Autobackup at 08-JUN-15

Backup set status:

RMAN> list backup;

List of Backup Sets

==============================

BS Key Size Device Type Elapsed Time Completion Time

-------------------------------------------------------

1 14.01 m disk 00:00:00

BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20150608T093841

(Space reasons, omitted ......)

BP Key: 4 Status: AVAILABLE Compressed: NO Tag: TAG20150608T093919

Piece Name: + RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159

SPFILE encoded ded: Modification time: 08-JUN-15

SPFILE db_unique_name: SICSSTB

Control File encoded ded: Ckp SCN: 2685935 Ckp time: 08-JUN-15

Restart to enter the mount status and try to recover.

SQL> shutdown immediate;

Database closed.

Database dismounted.

ORACLE instance shut down.

RMAN> connect target/

Connected to target database (not started)

RMAN> startup mount;

Oracle instance started

Database mounted

Total System Global Area 2087780352 bytes

Fixed Size 2254824 bytes

Variable Size 553650200 bytes

Database Buffers 1526726656 bytes

Redo Buffers 5148672 bytes

Try to recover.

RMAN> restore database;

Starting restore at 08-JUN-15

Allocated channel: ORA_DISK_1

Channel ORA_DISK_1: SID = 131 device type = DISK

(Space reasons, omitted ......)

Channel ORA_DISK_1: reading from backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123

RMAN-00571: ========================================================== ==============================

RMAN-00569: ==================== error message stack follows ==========================

RMAN-00571: ========================================================== ==============================

RMAN-03002: failure of restore command at 06/08/2015 09:46:38

ORA-19870: error while restoring backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

The backup set is encrypted and cannot be read. It can only be used after decryption.

RMAN> set decryption identified by 'test ';

Executing command: SET decryption

And then perform the restoration operation.

RMAN> restore database;

Starting restore at 08-JUN-15

Using channel ORA_DISK_1

Channel ORA_DISK_1: starting datafile backup set restore

Channel ORA_DISK_1: specifying datafile (s) to restore from backup set

Channel ORA_DISK_1: restoring datafile 00001 to + DATA/sicsstb/datafile/system.256.878897771

Channel ORA_DISK_1: restoring datafile 00002 to + DATA/sicsstb/datafile/sysaux.257.878897773

Channel ORA_DISK_1: restoring datafile 00003 to + DATA/sicsstb/datafile/undotbs1.258.878897773

Channel ORA_DISK_1: restoring datafile 00004 to + DATA/sicsstb/datafile/users.259.878897773

Channel ORA_DISK_1: restoring datafile 00005 to + DATA/sicsstb/datafile/example.265.878897857

Channel ORA_DISK_1: reading from backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123

Channel ORA_DISK_1: piece handle = + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123 tag = TAG20150608T093842

Channel ORA_DISK_1: restored backup piece 1

Channel ORA_DISK_1: restore complete, elapsed time: 00:00:35

Finished restore at 08-JUN-15

RMAN> recover database;

Starting recover at 08-JUN-15

Using channel ORA_DISK_1

Starting media recovery

Media recovery complete, elapsed time: 00:00:00

Finished recover at 08-JUN-15

RMAN> alter database open;

Database opened

So how to close this attribute? Use set encryption.

RMAN> set encryption off;

Executing command: SET encryption

This is a simple RMAN backup set Encryption Policy. This is generally not used in formal O & M scenarios.

For more details, please continue to read the highlights on the next page: