As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.
As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.
Data security, especially the security of enterprise core business data, is a common concern of the whole society today. From the end of the vigorous Ctrip service a few days ago, news of the deletion of the database, to the leakage of user accounts and passwords of Internet companies many times last year, they are constantly challenging the industry's tight nerves. In today's society, data is the reality that wealth is not a utopia, but a thorough Foundation. Loss of reputation and brand is hard to assess for enterprises that have experienced information leakage security incidents.
From the perspective of the information system, backup is the lifeblood of our DBA and our "back-to-hand ". As long as there is a backup, as long as the data is not lost, there is room for maneuver and space. Backup security is also important to all kinds of information security standards.
Backup security is mainly reflected in two aspects: Backup validity and backup is not used illegally. Backup effectiveness is a nightmare for O & M personnel. In critical cases, it is found that backup is not available or there are bad blocks, which is enough for O & M personnel to vomit blood. Backup is not used illegally. It ensures that the backup set data is not illegally restored to other environments.
As a backup and recovery tool officially recommended by Oracle, RMAN provides three security encryption policies to ensure that backup is not used illegally. This article mainly introduces these three basic policies.
1. Environment Introduction
I chose Oracle 11g for testing. The version number is 11.2.0.4.
SQL> select * from v $ version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-64bit Production
PL/SQL Release 11.2.0.4.0-Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0-Production
NLSRTL Version 11.2.0.4.0-Production
Archive mode is enabled to use rman for hot backup.
SQL> select log_mode from v $ database;
LOG_MODE
------------
ARCHIVELOG
Three methods for RMAN backup security are password security, Oracle Wallet security, and hybrid encryption security.
-------------------------------------- Recommended reading --------------------------------------
RMAN: Configure an archive log deletion policy
Basic Oracle tutorial-copying a database through RMAN
Reference for RMAN backup policy formulation
RMAN backup learning notes
Oracle Database Backup encryption RMAN Encryption
-------------------------------------- Split line --------------------------------------
Three policies are described as follows:
2. Password Security
Password security, like its name, requires interactive password input during encryption and decryption. You can configure the password in the RMAN configuration.
RMAN> show encryption for database;
RMAN configuration parameters for database with db_unique_name SICSSTB are:
Configure encryption for database off; # default
RMAN> show encryption algorithm;
RMAN configuration parameters for database with db_unique_name SICSSTB are:
Configure encryption algorithm 'aes128 '; # default
By default, RMAN does not enable the encryption mechanism. The encryption problem must follow the encryption algorithm. The default encryption algorithm is AES128. View the view v $ RMAN_ENCRYPTION_ALGORITHMS. You can see the encryption algorithm that can be used currently.
SQL> select * from v $ rman_encryption_algorithms;
ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_DEFAULT RESTORE_ONLY
--------------------------------------------------------------------------
1 AES128 AES 128-bit key YES NO
2 AES192 AES 192-bit key NO
3 AES256 AES 256-bit key NO
Use password encryption. First, use the set encryption command to set the password.
RMAN> set encryption on identified by 'test' only;
Executing command: SET encryption
RMAN> show encryption for database;
RMAN configuration parameters for database with db_unique_name SICSSTB are:
Configure encryption for database off; # default
Note that the only mark must be added.
Backup can be performed as follows:
RMAN> backup database plus archivelog;
Starting backup at 08-JUN-15
Current log archived
Allocated channel: ORA_DISK_1
Channel ORA_DISK_1: SID = 137 device type = DISK
Channel ORA_DISK_1: starting archived log backup set
Channel ORA_DISK_1: specifying archived log (s) in backup set
(Space reasons, omitted ......)
Starting Control File and SPFILE Autobackup at 08-JUN-15
Piece handle = + RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159 comment = NONE
Finished Control File and SPFILE Autobackup at 08-JUN-15
Backup set status:
RMAN> list backup;
List of Backup Sets
==============================
BS Key Size Device Type Elapsed Time Completion Time
-------------------------------------------------------
1 14.01 m disk 00:00:00
BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20150608T093841
(Space reasons, omitted ......)
BP Key: 4 Status: AVAILABLE Compressed: NO Tag: TAG20150608T093919
Piece Name: + RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159
SPFILE encoded ded: Modification time: 08-JUN-15
SPFILE db_unique_name: SICSSTB
Control File encoded ded: Ckp SCN: 2685935 Ckp time: 08-JUN-15
Restart to enter the mount status and try to recover.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
RMAN> connect target/
Connected to target database (not started)
RMAN> startup mount;
Oracle instance started
Database mounted
Total System Global Area 2087780352 bytes
Fixed Size 2254824 bytes
Variable Size 553650200 bytes
Database Buffers 1526726656 bytes
Redo Buffers 5148672 bytes
Try to recover.
RMAN> restore database;
Starting restore at 08-JUN-15
Allocated channel: ORA_DISK_1
Channel ORA_DISK_1: SID = 131 device type = DISK
(Space reasons, omitted ......)
Channel ORA_DISK_1: reading from backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123
RMAN-00571: ========================================================== ==============================
RMAN-00569: ==================== error message stack follows ==========================
RMAN-00571: ========================================================== ==============================
RMAN-03002: failure of restore command at 06/08/2015 09:46:38
ORA-19870: error while restoring backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
The backup set is encrypted and cannot be read. It can only be used after decryption.
RMAN> set decryption identified by 'test ';
Executing command: SET decryption
And then perform the restoration operation.
RMAN> restore database;
Starting restore at 08-JUN-15
Using channel ORA_DISK_1
Channel ORA_DISK_1: starting datafile backup set restore
Channel ORA_DISK_1: specifying datafile (s) to restore from backup set
Channel ORA_DISK_1: restoring datafile 00001 to + DATA/sicsstb/datafile/system.256.878897771
Channel ORA_DISK_1: restoring datafile 00002 to + DATA/sicsstb/datafile/sysaux.257.878897773
Channel ORA_DISK_1: restoring datafile 00003 to + DATA/sicsstb/datafile/undotbs1.258.878897773
Channel ORA_DISK_1: restoring datafile 00004 to + DATA/sicsstb/datafile/users.259.878897773
Channel ORA_DISK_1: restoring datafile 00005 to + DATA/sicsstb/datafile/example.265.878897857
Channel ORA_DISK_1: reading from backup piece + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123
Channel ORA_DISK_1: piece handle = + RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123 tag = TAG20150608T093842
Channel ORA_DISK_1: restored backup piece 1
Channel ORA_DISK_1: restore complete, elapsed time: 00:00:35
Finished restore at 08-JUN-15
RMAN> recover database;
Starting recover at 08-JUN-15
Using channel ORA_DISK_1
Starting media recovery
Media recovery complete, elapsed time: 00:00:00
Finished recover at 08-JUN-15
RMAN> alter database open;
Database opened
So how to close this attribute? Use set encryption.
RMAN> set encryption off;
Executing command: SET encryption
This is a simple RMAN backup set Encryption Policy. This is generally not used in formal O & M scenarios.
For more details, please continue to read the highlights on the next page: