Skip Headers
Oracle® Database Backup and Recovery Advanced User's Guide
10g Release 2 (10.2)

Part Number B14191-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

RMAN Encrypted Backups

For improved security, RMAN backups created as backup sets can be encrypted. Encrypted backups cannot be read if they are obtained by unauthorized people.

Any RMAN backups as backup sets can be encrypted. However, image copy backups cannot be encrypted.

Encrypted backups are decrypted automatically during restore and recover operations, as long as the required decryption keys are available, by means of either a user-supplied password or the Oracle Encryption Wallet.

To use RMAN encryption, the COMPATIBLE initialization parameter at the target database must be set to at least 10.2.0.

When the BACKUP BACKUPSET command is used with encrypted backup sets, the backup sets are backed up in their encrypted form. Because BACKUP BACKUPSET just copies an already-encrypted backup set to disk or tape, no decryption key is needed during a BACKUP BACKUPSET operation, and the data is never decrypted during any part of the operation. The BACKUP BACKUPSET command can neither encrypt nor decrypt backup sets.

If some columns in the database are encrypted using Transparent Data Encryption, and those columns are backed up using backup encryption, then those columns will be encrypted a second time during the backup. When the backup sets are decrypted during a restore, the encrypted columns are returned to their original encrypted form.

The V$RMAN_ENCRYPTION_ALGORITHMS view contains a list of encryption algorithms supported by RMAN. If no encryption algorithm is specified, the default encryption algorithm is 128-bit AES.

RMAN Backup Encryption Modes

RMAN offers three encryption modes: transparent mode, password mode, and dual mode.


Note:

Both transparent mode and dual mode depend upon the Oracle Encryption Wallet. See Oracle Database Advanced Security Administrator's Guide for details about configuring the Oracle Encryption Wallet.

Transparent Encryption of Backups

Transparent encryption can create and restore encrypted backups with no DBA intervention, as long as the required Oracle key management infrastructure is available. Transparent encryption is best suited for day-to-day backup operations, where backups will be restored at the same database that they were backed up from. Transparent encryption is the default mode for RMAN encryption.

When using transparent encryption, you must first configure the Oracle Encryption Wallet, as described in the documentation for Oracle's Transparent Data Encryption feature. After the Oracle Encryption Wallet is configured, encrypted backups can be created and restored with no further DBA intervention.


Note:

Because the Oracle key management infrastructure archives all previous master keys in the Oracle Encryption Wallet, changing or resetting the current database master key will not affect your ability to restore encrypted backups performed using an older master key. You may reset the database master key at any time, and RMAN will always be able to restore all encrypted backups that were ever created by this database.

Transparent backup encryption supports both the encrypted and autologin forms of the Oracle Encryption Wallet. When using the encrypted wallet, the wallet must be opened before any backup encryption operations, either backups or restores, can be done. When using the autologin wallet, encrypted backup operations can be done at any time, because the autologin wallet is always open.


Caution:

If you use an autologin wallet, do not back up the autologin wallet along with your encrypted backup data, because anybody will be able to read the encrypted backups if they obtain both the backups and the autologin wallet. It is safe to back up the encrypted wallet, because that form of the wallet cannot be used without the wallet password.


Caution:

If you lose your Oracle Encryption Wallet then you will be unable to restore any transparently-encrypted backups.

Password Encryption of Backups

Password encryption requires that the DBA provide a password when creating and restoring encrypted backups. Restoring a password-encrypted backup requires the same password that was used to create the backup. Password encryption is useful for backups that will be restored at remote locations, but which must remain secure in transit. Password encryption cannot be persistently configured. The Oracle Encryption Wallet need not be configured if password encryption is to be used exclusively.


Caution:

If you forget, or lose, the password that you used to encrypt a password-encrypted backup, you will be unable to restore that backup.

To use password encryption, use the SET ENCRYPTION ON IDENTIFIED BY password ONLY command in your RMAN scripts.

Dual Mode Encryption of Backups

Dual-mode encrypted backups can be restored either transparently or by specifying a password. Dual-mode encrypted backups are useful when you create backups that are normally restored on-site using the Oracle Encryption Wallet, but which occasionally need to be restored off-site, where the Oracle Encryption Wallet is not available.

When restoring a dual-mode encrypted backup, you can use either the Oracle Encryption Wallet or a password for decryption.


Caution:

If you forget, or lose, the password that you used to encrypt a dual-mode encrypted backup and you also lose your Oracle Encryption Wallet, then you will be unable to restore that backup.

To create dual-mode encrypted backup sets, specify the SET ENCRYPTION ON IDENTIFIED BY password command in your RMAN scripts.

Using CONFIGURE and SET to Control RMAN Backup Encryption

The CONFIGURE command is used to make persistent settings controlling RMAN encryption of backups, including:

  • Whether to encrypt backups of all database files.

  • Whether to encrypt backups of specific tablespaces.

  • Which algorithm to use for encrypting backups.

The SET ENCRYPTION command is used to:

  • Override the encryption settings specified by the CONFIGURE ENCRYPTION command. For example, you can use SET ENCRYPTION OFF to create an unencrypted backup, even though your database is configured to create encrypted backups.

  • Set a password for backup encryption, persisting until the RMAN client exits. Due to the sensitive nature of passwords, RMAN does not allow configuration of passwords that persist between RMAN sessions.

If you wish to modify your existing backup environment so that all RMAN backups are encrypted, perform the following steps:

  • Set up the Oracle Encryption Wallet

  • Issue the following RMAN command:

    RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON
    
    

After these steps, all RMAN backup sets created by this database will be encrypted, unless you explicitly override this behavior for an RMAN session with:

RMAN> SET ENCRYPTION ON

This remains in effect until you issue the SET ENCRYPTION OFF command during an RMAN session, or change the persistent setting again with:

RMAN> CONFIGURE ENCRYPTION FOR DATABASE OFF

Creating Encrypted Backups

The BACKUP command arguments do not change for creating encrypted backups. Encryption is performed based on the encryption settings specified with CONFIGURE ENCRYPTION or SET ENCRYPTION. Any backup to backup sets is encrypted with the specified settings.

Oracle uses a new encryption key for every encrypted backup. The backup encryption key is then encrypted with either the password, the database master key, or both, depending on the chosen encryption mode. Individual backup encryption keys or passwords are never stored in the clear.

Restoring Data from Encrypted Backups

RMAN automatically decrypts backup sets when their contents are restored. Transparently encrypted backups require no intervention to restore, as long as the Oracle Encryption Wallet is open and available. Password encrypted backups require the correct password to be entered before they can be restored.

You must enter the encryption password using the SET DECRYPTION command. Restore passwords cannot be persistently configured. If restoring from a set of backups that were created with different passwords, then specify all of the required passwords on the SET DECRYPTION command. RMAN will automatically use the correct password with each backup set.

Encryption of Archived Log Backups

There is no persistent configuration that controls whether archivelog backups as backupsets are encrypted. Backup sets containing archived logs are encrypted if any of the following are true:

  • SET ENCRYPTION ON is in effect at the time that the archive log backup is being created.

  • Encryption is configured for backups of the whole database or at least one tablespace.

This behavior ensures that the redo associated with any encrypted backup of a datafile is also encrypted.

Performance Impact of Encrypting RMAN Backups

Encryption can have a negative effect upon backup performance. Because encrypted backups will use more CPU resource than non-encrypted backups, you can improve performance of encrypted backups by using more RMAN channels.