You are on page 1of 4
�� Oracle Tips Search BC Oracle Sites Encrypted RMAN Backup Tips Got Questions? KEEP pool deprecated
��
Oracle Tips
Search BC Oracle Sites
Encrypted RMAN Backup Tips
Got Questions?
KEEP pool deprecated in
12c
Search
Expert Oracle Tips by Burleson Consulting
March 25, 2012
Home
E­mail Us
12c Poster Available!
Free AWR Report
Analysis
BEWARE of 11gR2
Upgrade Gotchas!
Oracle Articles
Creating Encrypted RMAN Backups and Recovery
Oracle Training
Oracle Tips
Oracle Forum
It is very simple to restore the database created by RMAN using simple
commands. If someone has stolen the backup of the database, they can easily
restore it and steal all our data, too. To prevent that from happening, encrypt the
backup that has been made. By querying the v$rman_encryption_algorithms
view, a list of RMAN encryption algorithms can be obtained:
Class Catalog
Remote DBA
Oracle Tuning
SQL>
select
algorithm_id, algorithm_name, algorithm_description, is_default
from
v$rman_encryption_algorithms;
Emergency 911
RAC Support
ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_DEFAULT
­­­­­­­­­­­­ ­­­­­­­­­­­ ­­­­­­­­­­­­­­­­­­­­­­­­ ­­­­­­­­­­
Apps Support
1
AES128
AES 128­bit key
YES
Analysis
2
AES192
AES 192­bit key
NO
Design
3
AES256
AES 256­bit key
NO
SQL>
Implementation
Oracle Support
There are three forms of encryption in Oracle 10g: transparent, password and dual
mode.
SQL Tuning
Security
Oracle UNIX
Oracle Linux
To use transparent mode encryption, Oracle Encryption Wallet should be
used.
To use password mode, a password should be provide by the DBA which
will be used in encryption.
By using dual mode encryption, both above mentioned modes will be used.
Monitoring
Remote support
Remote plans
Remote services
Application Server
Applications
In the following example, we will show how to use password mode to encrypt our
backup. Use the set encryption on command and the password using the identified
by command, and encrypt the backup that is taken in this session. Use the only
keyword at the end to use only password encryption. If the keyword only is
missed, RMAN uses dual mode encryption and demands the presence of Oracle
Encryption Wallet, too.
Oracle Forms
Oracle Portal
App Upgrades
RMAN> set encryption on identified by 'test' only;
SQL Server
Oracle Concepts
Backup the users tablespace:
Software Support
Remote Support
RMAN> backup tablespace users;
Development
Implementation
Now try to restore it:
Consulting Staff
Consulting Prices
RMAN> restore tablespace users;
ORA­19913: unable to decrypt backup
ORA­28365: wallet is not open
Help Wanted!
As this shows, it is impossible to restore already encrypted backup without using
the password. In this situation, if someone has stolen our backup, they will not be
able to restore it and steal our data, too, without providing the correct password.
Now provide the password and restore the backup:
Oracle Posters

Ion

RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong';
RMAN> set decryption identified by 'test';
RMAN> restore tablespace users;
RMAN> set decryption identified by 'wrong'; #wrong password
RMAN> restore tablespace users;
ORA­19913: unable to decrypt backup
ORA­28365: wallet is not open
RMAN>
RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; #default
RMAN> configure encryption algorithm 'AES256';
new RMAN configuration parameters:
configure encryption algorithm 'AES256';
new RMAN configuration parameters are successfully stored
RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES256';
RMAN> configure encryption algorithm clear;
old RMAN configuration parameters:
configure encryption algorithm 'AES256';
RMAN configuration parameters are successfully reset to default value
RMAN> show encryption algorithm;
RMAN configuration parameters are:
configure encryption algorithm 'AES128'; # default
RMAN>
RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default
configure encryption algorithm 'AES128'; # default
RMAN> configure encryption for database on;
new RMAN configuration parameters:
configure encryption for database on;
new RMAN configuration parameters are successfully stored
RMAN> configure encryption for tablespace users off;
tablespace users will not be encrypted in future backup sets
new RMAN configuration parameters are successfully stored
RMAN> show all;
RMAN configuration parameters are:
configure encryption for database on;
configure encryption algorithm 'AES128'; # default
configure encryption for tablespace 'users' off;
RMAN> configure encryption for database clear;

Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup:

By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows:

Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows:

To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption:

To return back to default value, clear the encryption configuration parameter:

<a href=Oracle Books Oracle Scripts Ion Excel­DB Don Burleson Blog RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong'; #wrong password RMAN> restore tablespace users; ORA­19913: unable to decrypt backup ORA­28365: wallet is not open RMAN> RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; #default RMAN> configure encryption algorithm 'AES256'; new RMAN configuration parameters: configure encryption algorithm 'AES256'; new RMAN configuration parameters are successfully stored RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES256'; RMAN> configure encryption algorithm clear; old RMAN configuration parameters: configure encryption algorithm 'AES256'; RMAN configuration parameters are successfully reset to default value RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; # default RMAN> RMAN> show all; RMAN configuration parameters are: configure encryption for database off; # default configure encryption algorithm 'AES128'; # default RMAN> configure encryption for database on; new RMAN configuration parameters: configure encryption for database on; new RMAN configuration parameters are successfully stored RMAN> configure encryption for tablespace users off; tablespace users will not be encrypted in future backup sets new RMAN configuration parameters are successfully stored RMAN> show all; RMAN configuration parameters are: configure encryption for database on; configure encryption algorithm 'AES128'; # default configure encryption for tablespace 'users' off; RMAN> configure encryption for database clear; Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup: By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows: Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows: To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption: To return back to default value, clear the encryption configuration parameter: " id="pdf-obj-1-24" src="pdf-obj-1-24.jpg">
<a href=Oracle Books Oracle Scripts Ion Excel­DB Don Burleson Blog RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong'; #wrong password RMAN> restore tablespace users; ORA­19913: unable to decrypt backup ORA­28365: wallet is not open RMAN> RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; #default RMAN> configure encryption algorithm 'AES256'; new RMAN configuration parameters: configure encryption algorithm 'AES256'; new RMAN configuration parameters are successfully stored RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES256'; RMAN> configure encryption algorithm clear; old RMAN configuration parameters: configure encryption algorithm 'AES256'; RMAN configuration parameters are successfully reset to default value RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; # default RMAN> RMAN> show all; RMAN configuration parameters are: configure encryption for database off; # default configure encryption algorithm 'AES128'; # default RMAN> configure encryption for database on; new RMAN configuration parameters: configure encryption for database on; new RMAN configuration parameters are successfully stored RMAN> configure encryption for tablespace users off; tablespace users will not be encrypted in future backup sets new RMAN configuration parameters are successfully stored RMAN> show all; RMAN configuration parameters are: configure encryption for database on; configure encryption algorithm 'AES128'; # default configure encryption for tablespace 'users' off; RMAN> configure encryption for database clear; Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup: By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows: Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows: To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption: To return back to default value, clear the encryption configuration parameter: " id="pdf-obj-1-26" src="pdf-obj-1-26.jpg">
<a href=Oracle Books Oracle Scripts Ion Excel­DB Don Burleson Blog RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong'; #wrong password RMAN> restore tablespace users; ORA­19913: unable to decrypt backup ORA­28365: wallet is not open RMAN> RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; #default RMAN> configure encryption algorithm 'AES256'; new RMAN configuration parameters: configure encryption algorithm 'AES256'; new RMAN configuration parameters are successfully stored RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES256'; RMAN> configure encryption algorithm clear; old RMAN configuration parameters: configure encryption algorithm 'AES256'; RMAN configuration parameters are successfully reset to default value RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; # default RMAN> RMAN> show all; RMAN configuration parameters are: configure encryption for database off; # default configure encryption algorithm 'AES128'; # default RMAN> configure encryption for database on; new RMAN configuration parameters: configure encryption for database on; new RMAN configuration parameters are successfully stored RMAN> configure encryption for tablespace users off; tablespace users will not be encrypted in future backup sets new RMAN configuration parameters are successfully stored RMAN> show all; RMAN configuration parameters are: configure encryption for database on; configure encryption algorithm 'AES128'; # default configure encryption for tablespace 'users' off; RMAN> configure encryption for database clear; Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup: By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows: Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows: To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption: To return back to default value, clear the encryption configuration parameter: " id="pdf-obj-1-28" src="pdf-obj-1-28.jpg">
<a href=Oracle Books Oracle Scripts Ion Excel­DB Don Burleson Blog RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong'; #wrong password RMAN> restore tablespace users; ORA­19913: unable to decrypt backup ORA­28365: wallet is not open RMAN> RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; #default RMAN> configure encryption algorithm 'AES256'; new RMAN configuration parameters: configure encryption algorithm 'AES256'; new RMAN configuration parameters are successfully stored RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES256'; RMAN> configure encryption algorithm clear; old RMAN configuration parameters: configure encryption algorithm 'AES256'; RMAN configuration parameters are successfully reset to default value RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; # default RMAN> RMAN> show all; RMAN configuration parameters are: configure encryption for database off; # default configure encryption algorithm 'AES128'; # default RMAN> configure encryption for database on; new RMAN configuration parameters: configure encryption for database on; new RMAN configuration parameters are successfully stored RMAN> configure encryption for tablespace users off; tablespace users will not be encrypted in future backup sets new RMAN configuration parameters are successfully stored RMAN> show all; RMAN configuration parameters are: configure encryption for database on; configure encryption algorithm 'AES128'; # default configure encryption for tablespace 'users' off; RMAN> configure encryption for database clear; Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup: By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows: Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows: To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption: To return back to default value, clear the encryption configuration parameter: " id="pdf-obj-1-30" src="pdf-obj-1-30.jpg">
<a href=Oracle Books Oracle Scripts Ion Excel­DB Don Burleson Blog RMAN> set decryption identified by 'test'; RMAN> restore tablespace users; RMAN> set decryption identified by 'wrong'; #wrong password RMAN> restore tablespace users; ORA­19913: unable to decrypt backup ORA­28365: wallet is not open RMAN> RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; #default RMAN> configure encryption algorithm 'AES256'; new RMAN configuration parameters: configure encryption algorithm 'AES256'; new RMAN configuration parameters are successfully stored RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES256'; RMAN> configure encryption algorithm clear; old RMAN configuration parameters: configure encryption algorithm 'AES256'; RMAN configuration parameters are successfully reset to default value RMAN> show encryption algorithm; RMAN configuration parameters are: configure encryption algorithm 'AES128'; # default RMAN> RMAN> show all; RMAN configuration parameters are: configure encryption for database off; # default configure encryption algorithm 'AES128'; # default RMAN> configure encryption for database on; new RMAN configuration parameters: configure encryption for database on; new RMAN configuration parameters are successfully stored RMAN> configure encryption for tablespace users off; tablespace users will not be encrypted in future backup sets new RMAN configuration parameters are successfully stored RMAN> show all; RMAN configuration parameters are: configure encryption for database on; configure encryption algorithm 'AES128'; # default configure encryption for tablespace 'users' off; RMAN> configure encryption for database clear; Using the password, tablespace is restored successfully. If we provide a wrong password, it will not restore the backup: By default, RMAN uses the AES 128­bit key algorithm for encryption. The algorithm can be easily changed using the configure encryption algorithm command as follows: Again, anytime this configuration is cleared, the encryption algorithmcan be returned to its default value as follows: To use Oracle Encryption Wallet, we need to configure RMAN to perform an encrypted backup of any tablespace or whole database automatically. For this, use the configure encryption for command. In the following example, we configure RMAN to create an encrypted backup of the database, and exclude users tablespace from encryption: To return back to default value, clear the encryption configuration parameter: " id="pdf-obj-1-32" src="pdf-obj-1-32.jpg">
old RMAN configuration parameters: configure encryption for database on; RMAN configuration parameters are successfully reset to
old RMAN configuration parameters:
configure encryption for database on;
RMAN configuration parameters are successfully reset to default value
RMAN> configure encryption for tablespace users clear;
tablespace users will default to database encryption configuration
old RMAN configuration parameters are successfully deleted
RMAN> show all;
RMAN configuration parameters are:
configure encryption for database off; # default
old RMAN configuration parameters: configure encryption for database on; RMAN configuration parameters are successfully reset toThe landmark book "Oracle Backup & Recovery: Expert secrets for using RMAN and Data Pump " p rovides real world advice for resolvin g the most difficult Oracle performance and recovery issues. Buy it for 40% off directly from the publisher. Burleson is the American Team " id="pdf-obj-2-4" src="pdf-obj-2-4.jpg">

Get the Complete Oracle Backup & Recovery Details

old RMAN configuration parameters: configure encryption for database on; RMAN configuration parameters are successfully reset toThe landmark book "Oracle Backup & Recovery: Expert secrets for using RMAN and Data Pump " p rovides real world advice for resolvin g the most difficult Oracle performance and recovery issues. Buy it for 40% off directly from the publisher. Burleson is the American Team " id="pdf-obj-2-23" src="pdf-obj-2-23.jpg">
Burleson is the American Team
Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals. Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self­proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata? Oracle technology is changing and we strive to update our BC Oracle support information. If you find an error or have a suggestion for improving our content, we would appreciate your feedback. Just e­mail:

and include the URL for the page.

and include the URL for the page.

Note: This Oracle documentation was created as a support and Oracle training reference for use byOracle forum . Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self­proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications . Errata? Oracle technology is changing and we strive to update our BC Oracle support information. If you find an error or have a suggestion for improving our content, we would appreciate your feedback. Just e­mail: and include the URL for the page. Burleson Consulting The Oracle of Database Support Oracle Performance Tuning Remote DBA Services Copyright ? 1996 ­ 2014 All rights reserved by Burleson Oracle ? is the registered trademark of Oracle Corporation. " id="pdf-obj-3-25" src="pdf-obj-3-25.jpg">
Note: This Oracle documentation was created as a support and Oracle training reference for use byOracle forum . Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self­proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications . Errata? Oracle technology is changing and we strive to update our BC Oracle support information. If you find an error or have a suggestion for improving our content, we would appreciate your feedback. Just e­mail: and include the URL for the page. Burleson Consulting The Oracle of Database Support Oracle Performance Tuning Remote DBA Services Copyright ? 1996 ­ 2014 All rights reserved by Burleson Oracle ? is the registered trademark of Oracle Corporation. " id="pdf-obj-3-28" src="pdf-obj-3-28.jpg">

Burleson Consulting

The Oracle of Database Support

Copyright ? 1996 ­ 2014

All rights reserved by Burleson

Oracle ? is the registered trademark of Oracle Corporation.