Database backups also represent a very important area to be defended. Similarly with data pump dumps, backups made with RMAN can be encrypted and decrypted using encryption wallets. In this recipe we will enable RMAN encryption. We will also make a full backup followed by a restore. Next, we will save and delete the encryption wallet, and try a restore and recovery. We also emphasize the importance of saving these keys in a safe place.
- Create a new directory to be used as the destination for future backups with the
oracleuser as the owner:mkdir –p / backup/rman chown oracle:oinstall /backup/rman
- Connect with RMAN and enable the encryption of backups for the database as follows:
[oracle@nodeorcl1~] rman target / RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored RMAN>
- Perform a full database back up:
RMAN> run 2> { allocate channel d1 device type disk format /backup/rman/%U_%d_0_enc'; 3> backup incremental level 0 database; 4> backup archivelog all delete input; } using target database control file instead of recovery catalog .................................................................................................................................... ................................................................................................................................... tag=TAG20120222T174122 comment=NONE channel d1: backup set complete, elapsed time: 00:01:25 channel d1: starting incremental level 0 datafile backup set channel d1: specifying datafile(s) in backup set including current control file in backup set including current SPFILE in backup set channel d1: starting piece 1 at 22-FEB-12 channel d1: finished piece 1 at 22-FEB-12 ................................................................................................................................................ released channel: d1 RMAN>
- Shut down the database:
RMAN> shutdown immediate database closed database dismounted Oracle instance shut down RMAN>
- Rename the wallet to
ewallet_old:mv wallet ewallet_old - Start up the database in mount mode and try to issue a database restore:
RMAN> restore database; Starting restore at 22-FEB-12 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=133 device type=DISK channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set ....................................................................... ORA-19913: unable to decrypt backup ORA-28365: wallet is not open
- Rename the
wallettoewalletand open it:mv ewallet_old wallet sqlplus / as sysdba SQL*Plus: Release 11.2.0.3.0 Production on Wed Feb 22 18:03:10 2012 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production With the Partitioning and Oracle Label Security options SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "UYio71+^ZaPO"; System altered.
- Now, you should be able to restore and recover your database:
rman target / Recovery Manager: Release 11.2.0.3.0 - Production on Wed Feb 22 18:08:41 2012 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. connected to target database: HCKDB (DBID=265134230, not open) RMAN> run 2> { restore database; 3> recover database; 4> alter database open; } Starting restore at 22-FEB-12 using target database control file instead of recovery catalog ............................ Finished recover at 22-FEB-12 database opened RMAN>
The encryption of backup sets is performed in the transparent mode using the encryption wallet. The mechanism is identical with the transparent mode used for data pump.
Always try to save the master key in a safe place and do not include it along with your backup sets, an attacker who can open the encryption wallet (if it is of the auto-login type it does not require password) will be able to restore the database (by default RMAN does not backup set the master key). Without the appropriate database master key, it will be impossible to restore and recover your database from encrypted backups.