Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 
 

Encrypted RMAN Backup Tips

Expert Oracle Database Tips by Donald BurlesonMarch 25, 2015

Creating Encrypted RMAN Backups and Recovery

It is very simple to restore the database created by RMAN using simple commands.  If someone has stolen the  backup of the database, they can easily restore it and steal all our data, too.  To prevent that from happening, encrypt the backup that has been made. By querying the v$rman_encryption_algorithms view, a list of RMAN encryption algorithms can be obtained:

SQL>
select
algorithm_id, algorithm_name, algorithm_description, is_default
from
v$rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME  ALGORITHM_DESCRIPTION        IS_DEFAULT
------------   -----------   ------------------------     ----------
1              AES128                 AES 128-bit key     YES
2              AES192                 AES 192-bit key     NO
3              AES256                 AES 256-bit key     NO
SQL>

There are three forms of encryption in Oracle 10g: transparent, password and dual mode.

  • To use transparent mode encryption, Oracle Encryption Wallet should be used.
  • To use password mode, a password should be provide by the DBA which will be used in encryption.
  • By using dual mode encryption, both above mentioned modes will be used.

In the following example, we will show how to use password mode to encrypt our backup. Use the set encryption on command and the password using the identified by command, and encrypt the backup that is taken in this session.   Use the only keyword at the end to use only password encryption.  If the keyword only is missed, RMAN uses dual mode encryption and demands the presence of Oracle Encryption Wallet, too.

RMAN> set encryption on identified by 'test' only;

Backup the users tablespace:

RMAN> backup tablespace users;

Now try to restore it:

RMAN> restore tablespace users;
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

As this shows, it is impossible to restore already encrypted backup without using the password.  In this situation, if someone has stolen our backup, they will not be able to restore it and steal our data, too, without providing the correct password. Now provide the password and restore the backup:

RMAN> set decryption identified by 'test';
RMAN> restore tablespace users;

Using the password, tablespace is restored successfully.  If we provide a wrong password, it will not restore the backup:

RMAN> set decryption identified by 'wrong'; #wrong password
RMAN> restore tablespace users;
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
RMAN>

By default, RMAN uses the AES 128-bit key algorithm for encryption.  The algorithm can be easily changed using the configure encryption algorithm command as follows:

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; #default

RMAN> configure encryption algorithm 'AES256';
new RMAN configuration parameters:
configure encryption algorithm 'AES256';
new RMAN configuration parameters are successfully stored

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES256';

Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows:

RMAN> configure encryption algorithm clear;

old RMAN configuration parameters:
configure encryption algorithm 'AES256';
RMAN configuration parameters are successfully reset to default value

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; # default
RMAN>

To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically.  For this, use the configure encryption for command.  In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption:

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default
configure encryption algorithm 'AES128'; # default

RMAN> configure encryption for database on;
new RMAN configuration parameters:
configure encryption for database on;
new RMAN configuration parameters are successfully stored

RMAN> configure encryption for tablespace users off;
tablespace users will not be encrypted in future backup sets
new RMAN configuration parameters are successfully stored

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database on;
configure encryption algorithm 'AES128'; # default
configure encryption for tablespace 'users' off;

To return back to default value, clear the encryption configuration parameter:

RMAN> configure encryption for database clear;
old RMAN configuration parameters:
configure encryption for database on;
RMAN configuration parameters are successfully reset to default value 

RMAN> configure encryption for tablespace users clear;
tablespace users will default to database encryption configuration
old RMAN configuration parameters are successfully deleted

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default

 

 

 
 
 
Get the Complete
Oracle Backup & Recovery Details 

The landmark book "Oracle Backup & Recovery: Expert secrets for using RMAN and Data Pump " provides real world advice for resolving the most difficult Oracle performance and recovery issues. Buy it for 40% off directly from the publisher.
 


 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational

 

 

��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster