Tips and wisdom from 15 years of DBA experience

Saturday, September 11, 2010

Set up RMAN Encryption

This example will set up RMAN Transparent Data Encryption for RMAN. It is a bit confusing from the documentation as to how to set up RMAN encryption, for you first need to learn about Oracle Wallets. I will spare you the details, and instead just give you the steps you need to take to make TDE work for RMAN. This method has been tested on 10gR2, but will probably work on 11g as well.

1. Add the following to sqlnet.ora on the host that you are backing up:
ENCRYPTION_WALLET_LOCATION =
(SOURCE = 
    (METHOD = FILE)
    (METHOD_DATA =
        (DIRECTORY = /super/secure/location)
    )
)

2. Log into the database you want to back up and issue:
alter system set encryption key identified by "Super_secure_password";

(note that the password is case-sensitive. You will not have to enter this password to backup/restore, but you will to open the Wallet)

3. Verify that the wallet is open:
select * from v$encryption_wallet;

Note that when you bounce the instance, you will need to re-open the wallet with this command:
alter system set encryption wallet open identified by "Super_secure_password";

4. configure rman:
$ rman target /
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored

RMAN>

You can also change the default algorithm of AES128 that Oracle uses to perform the encryption using the CONFIGURE ENCRYPTION ALGORITHM 'new algorithm';

5. That's it! Now just perform your backups as usual.

6. Verify that the encryption is working:
  • Perform a full backup (with or without encryption)
  • Create a test table and insert a row with a string you can easily grep for, like SuperDuperSecret or something
  • Perform an incremental backup without encryption on.
  • Do hexdump -C | grep SuperDuperSecret on each incremental backup piece. You should get a hit.
  • Insert a second row into the table with a different string like MoreSuperDuperSecret
  • Turn on encryption
  • Perform a backup
  • Do hexdump -C | grep MoreSuperDuperSecret on each incremental backup piece. You should not be able to find that string. Viola!

Followers