For improved security, RMAN backups can be encrypted. Encrypted backups cannot be read by unauthorized persons. A password or wallet is required to return from Backup.
If your backups are accessible to others, your backups must be encrypted. Otherwise, your backups can be used by malicious people and all your data may be sent to other people or companies.
Rman Backup Encryption Types
With Rman, two types of backups can be encrypted:
- Global Encryption using Wallet
- Backup Specific Encryption
Global Encryption using Wallet
This option provides global security. All backups will be encrypted.
The steps required for this process are listed below.
First you need to create the wallet directory. After setting $ORACLE_BASE, create a directory named wallet under the directory $ORACLE_BASE/admin/<database_name>.
with oracle:
1 | -bash-4.3$ mkdir $ORACLE_BASE/admin/TESTDB/wallet |
Set the password with SYS as follows:
1 2 3 | SQL> alter system set encryption key identified by "welcome1"; System altered. |
NOTE: You can use the following command to activate the wallet when the database restarts. Backups will not be encrypted unless wallet is activated.
1 | SQL> alter system set encryption wallet open identified by "welcome1"; |
Specify that backups will be encrypted via Rman:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | -bash-4.3$ rman target / Recovery Manager: Release 11.2.0.4.0 - Production on Thu Oct 19 16:49:55 2017 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. connected to target database: TESTDB (DBID=2708277737) RMAN> configure encryption for database on; using target database control file instead of recovery catalog new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored Sonrasında alınacak tüm yedekler şifreli olacaktır. RMAN> backup full database tag ORCL_FULL format '/u01/backup/%d_%T_%s_%p_FULL'; Starting backup at 19-OCT-17 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=1423 instance=TESTDB1 device type=DISK channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set input datafile file number=00002 name=+DATA/testdb/datafile/sysaux.697.924949529 input datafile file number=00004 name=+DATA/testdb/datafile/users.703.924949531 input datafile file number=00001 name=+DATA/testdb/datafile/system.704.924949529 input datafile file number=00003 name=+DATA/testdb/datafile/undotbs1.700.924949531 channel ORA_DISK_1: starting piece 1 at 19-OCT-17 channel ORA_DISK_1: finished piece 1 at 19-OCT-17 piece handle=/u01/backup/TESTDB_20171019_3_1_FULL tag=ORCL_FULL comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:01:35 channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set including current control file in backup set including current SPFILE in backup set channel ORA_DISK_1: starting piece 1 at 19-OCT-17 channel ORA_DISK_1: finished piece 1 at 19-OCT-17 piece handle=/u01/backup/TESTDB_20171019_4_1_FULL tag=ORCL_FULL comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01 Finished backup at 19-OCT-17 |
Backup Specific Encryption
With this option, only the corresponding backup will be encrypted. The problem with this option is that the password is clearly shown because the password required for encryption will be sent during the process. When you write the password in the script, a person with access to the operating system can retrieve the password and restore the database.
With Rman or in the script you can set the password with the command below and start the backup.
1 2 3 | RMAN> set encryption on identified by "welcome1" only; executing command: SET encryption |
If you start a backup after executing the above script, the backup will be encrypted.
Cancellation of Backup Encryption
If you do not need encryption for backup, you can cancel it with the command below.
1 2 3 4 5 6 7 | RMAN> configure encryption for database off; old RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE OFF; new RMAN configuration parameters are successfully stored |
Encryption Algorithms
By default, Rman uses the AES128 algorithm for encryption. If you wish, you can change this algorithm as follows.
1 2 3 4 5 | RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES256'; new RMAN configuration parameters: CONFIGURE ENCRYPTION ALGORITHM 'AES256'; new RMAN configuration parameters are successfully stored |
The available algorithms are available in the V$RMAN_ENCRYPTION_ALGORITHMS view.