Monday, March 17, 2014

RMAN Backup and Transparent Encryption

Oracle Transparent encryption can help with creating and restoring encrypted RMAN backups with no DBA intervention, as long as the required Oracle key management infrastructure is available.


Transparent encryption is best suited for day-to-day backup operations, where backups will be restored at the same database that they were backed up from. Transparent encryption is the default mode for RMAN encryption.


When using transparent encryption, you must first configure the Oracle Encryption Wallet. After the Oracle Encryption Wallet is configured, encrypted backups can be created and restored with no further DBA intervention.





1.     Create a directory named wallet in  $ORACLE_BASE/admin/$ORACLE_SID/wallet:
$ mkdir –p $ORACLE_BASE/admin/$ORACLE_SID/wallet



2.    To avoid “ORA-28368: cannot auto-create wallet”, append this line to the sqlnet.ora file. This should allow you to share a single  Oracle home by multiple databases. Each database has it's own wallet but shares the same sqlnet.ora.
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=$ORACLE_BASE/admin/$ORACLE_SID/wallet )))



3.     Create and open wallet using sqlplus:
SQL> alter system set encryption key identified by "Passwd";



4.     Configure encryption algorithm( this step is optional):
RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES256';



5.     Configure encrypted backups using the configure command:
RMAN> configure encryption for database on;



6.     Backup Database (the backup files should be encrypted):
RMAN> backup database;



Note #1: V$ENCRYPTION_WALLET displays information on the status of the wallet and the wallet location for transparent data encryption.
SQL> set linesize 200
COLUMN STATUS FORMAT A15
COLUMN WRL_PARAMETER FORMAT A55


select STATUS,WRL_PARAMETER
from V$ENCRYPTION_WALLET;


STATUS          WRL_PARAMETER
--------------- -------------------------------------------------------
CLOSED          /u01/oracle/admin/testdb/wallet



Note #2: Use orapki utility to make the wallet auto-login:
$ orapki wallet create -wallet /u01/oracle/admin/testdb/wallet -pwd "newPassword" -auto_login



Available Encryption Algorithms:
AES128
AES192
AES256



License:
In order to create encrypted backups on disk you must install Advanced Security Option (ASO).
NOTE: Enterprise Edition is required by ASO.



For more information see:


I hope this helps.


Please feel free to leave your questions or suggest improvements to this section.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)