Creating Encrypted RMAN Backups and Recovery

NOTA: VALIDAR EL DEFAULT DEL ALGORITH ENCRYPTION

PARA CAMBIAR.

RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES192';

RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES256';

RMAN> CONFIGURE ENCRYPTION ALGORITHM 'AES128';

old RMAN configuration parameters:

CONFIGURE ENCRYPTION ALGORITHM 'AES192';

new RMAN configuration parameters:

CONFIGURE ENCRYPTION ALGORITHM 'AES128';

new RMAN configuration parameters are successfully stored

RMAN>  CONFIGURE ENCRYPTION ALGORITHM clear;

old RMAN configuration parameters:

CONFIGURE ENCRYPTION ALGORITHM 'AES128';

RMAN configuration parameters are successfully reset to default value

RMAN> 

new RMAN configuration parameters:

CONFIGURE ENCRYPTION ALGORITHM 'AES192';

new RMAN configuration parameters are successfully stored

RMAN> CONFIGURE ENCRYPTION ALGORITHM CLEAR;

old RMAN configuration parameters:

CONFIGURE ENCRYPTION ALGORITHM 'AES192';

RMAN configuration parameters are successfully reset to default value

Creating Encrypted RMAN Backups and Recovery

It is very simple to restore the database created by RMAN using simple commands.  If someone has stolen the  backup of the database, they can easily restore it and steal all our data, too.  To prevent that from happening, encrypt the backup that has been made. By querying the v$rman_encryption_algorithms view, a list of RMAN encryption algorithms can be obtained:

SQL>
set line 200
select
algorithm_id, algorithm_name, algorithm_description, is_default
from
v$rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME  ALGORITHM_DESCRIPTION        IS_DEFAULT
------------   -----------   ------------------------     ----------
1              AES128                 AES 128-bit key     YES
2              AES192                 AES 192-bit key     NO
3              AES256                 AES 256-bit key     NO
SQL>

There are three forms of encryption in Oracle 10g: transparent, password and dual mode.

• To use transparent mode encryption, Oracle Encryption Wallet should be used.
• To use password mode, a password should be provide by the DBA which will be used in encryption.
• By using dual mode encryption, both above mentioned modes will be used.

In the following example, we will show how to use password mode to encrypt our backup. Use the set encryption on command and the password using the identified by command, and encrypt the backup that is taken in this session.   Use the only keyword at the end to use only password encryption.  If the keyword only is missed, RMAN uses dual mode encryption and demands the presence of Oracle Encryption Wallet, too.

    RMAN> set encryption algorithm 'AES192';

RMAN> set encryption on identified by 'oracle' only;

Backup the users tablespace:

RMAN>; backup tablespace users;

Now try to restore it:

RMAN> restore tablespace users;
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

As this shows, it is impossible to restore already encrypted backup without using the password.  In this situation, if someone has stolen our backup, they will not be able to restore it and steal our data, too, without providing the correct password. Now provide the password and restore the backup:

RMAN> set decryption identified by 'oracle';
RMAN> restore tablespace users;
RMAN> recover database;

Using the password, tablespace is restored successfully.  If we provide a wrong password, it will not restore the backup:

RMAN> set decryption identified by 'wrong'; #wrong password
RMAN> restore tablespace users;
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
RMAN>

By default, RMAN uses the AES 128-bit key algorithm for encryption.  The algorithm can be easily changed using the configure encryption algorithm command as follows:

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; #default

RMAN> configure encryption algorithm 'AES256';
new RMAN configuration parameters:
configure encryption algorithm 'AES256';
new RMAN configuration parameters are successfully stored

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES256';

Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows:

RMAN> configure encryption algorithm clear;

old RMAN configuration parameters:
configure encryption algorithm 'AES256';
RMAN configuration parameters are successfully reset to default value

RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; # default
RMAN>

To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically.  For this, use the configure encryption for command.  In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption:

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default
configure encryption algorithm 'AES128'; # default

RMAN> configure encryption for database on;
new RMAN configuration parameters:
configure encryption for database on;
new RMAN configuration parameters are successfully stored

RMAN> configure encryption for tablespace users off;
tablespace users will not be encrypted in future backup sets
new RMAN configuration parameters are successfully stored

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database on;
configure encryption algorithm 'AES128'; # default
configure encryption for tablespace 'users' off;

To return back to default value, clear the encryption configuration parameter:

RMAN> configure encryption for database clear;
old RMAN configuration parameters:
configure encryption for database on;
RMAN configuration parameters are successfully reset to default value 

RMAN> configure encryption for tablespace users clear;
tablespace users will default to database encryption configuration
old RMAN configuration parameters are successfully deleted

RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default