The Oracle RMAN backup encryption is necessary if you want to backup your database into the Oracle cloud. In Oracle 12c, you have three methods available to encrypt an Oracle RMAN backup:
- with a passphrase
- with a master encryption key
- hybrid with a passphrase and an encryption key
On docs.oracle.com, the basic setup is described here: https://docs.oracle.com/en/cloud/paas/db-backup-cloud/csdbb/configuring-encryption-backups.html#GUID-4A1F5CF5-7EAF-4D71-9B7F-B46412F552CE
In this blog post, I show you how to configure your database environment with a master encryption key and a keystore. I use this solution to to backup and recovery to and into the Oracle cloud. And in the cloud, I don’t like to type in passwords manually for every action or write passwords in backup and restore scripts.
There are also some issues reports like in My Oracle Support Note TDE Wallet Problem in 12c: Cannot do a Set Key operation when an auto-login wallet is present (Doc ID 1944507.1).
Here are steps to create an autologin wallet.
Configure SQLNET.ora in $TNS_ADMIN to use a Keystore
ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u00/app/oracle/network/wallet) ) )
Create Keystore as SYSDBA
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u00/app/oracle/tde_wallet' IDENTIFIED BY "my#wallet18";
Open Keystore
SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "my#wallet18";
The status is set to OPEN_NO_MASTER_KEY.
SQL> SELECT wrl_parameter, wallet_type, status 2 FROM v$encryption_wallet; WRL_PARAMETER WALLET_TYPE STATUS ----------------------------------- --------------- -------------------- /u00/app/oracle/tde_wallet/ PASSWORD OPEN_NO_MASTER_KEY
Set Master Key
Now the master key has to defined. When you have already defined a wallet earlier and deleted the keys, you have to set the undocumented parameter to set the master key again. This works here too to set the key. Otherwise you get an ORA-28374: typed master key not found in wallet error. See Master Note For Transparent Data Encryption ( TDE ) (Doc ID 1228046.1) for further information.
SQL> ALTER SYSTEM SET "_db_discard_lost_masterkey"=true; SQL> ADMINISTER KEY MANAGEMENT SET KEY FORCE KEYSTORE IDENTIFIED BY "my#wallet18" WITH BACKUP USING 'master_key_1';
Now the status is set to OPEN.
SQL> SELECT wrl_parameter, wallet_type, status 2 FROM v$encryption_wallet; WRL_PARAMETER WALLET_TYPE STATUS ----------------------------------- --------------- -------------------- /u00/app/oracle/tde_wallet/ PASSWORD OPEN
Activate Auto Login
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/u00/app/oracle/tde_wallet' IDENTIFIED BY "my#wallet18";
Restart the Database
SQL> SHUTDOWN IMMEDIATE SQL> STARTUP
Verify if the keystore is available and WALLET_TYPE is AUTOLOGIN.
SQL> SELECT wrl_parameter, wallet_type, status 2 FROM v$encryption_wallet; WRL_PARAMETER WALLET_TYPE STATUS ----------------------------------- --------------- -------------------- /u00/app/oracle/tde_wallet/ AUTOLOGIN OPEN
Configure RMAN for Encryption
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
RMAN Backup Test
A simple RMAN controlfile backup into the Oracle cloud (OPC Backup Module is already configured).
RUN { allocate channel t1 type 'sbt_tape' parms='SBT_LIBRARY=libopc.so, SBT_PARMS=(OPC_PFILE=/u00/app/oracle/admin/OCIDB01/opc_config/opcOCIDB01.ora)'; backup current controlfile; release channel t1; }
Error message if you want to backup into the Oracle cloud and the encryption is not configured correctly:
RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03009: failure of backup command on t1 channel at 08/27/2018 18:48:27 ORA-19914: unable to encrypt backup ORA-28365: wallet is not open
Backup Verification in V$BACKUP_PIECE – Column ENCRYPTED
SQL> SELECT start_time,handle,substr(media,1,30),encrypted 2 FROM v$backup_piece; START_TIME HANDLE SUBSTR(MEDIA,1,30) ENC ------------------ ---------------------------------------- ----------------------------------- --- 27-AUG-18 c-903044157-20180827-00 eucom-north-1.stora..orage-tri YES
Links
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
http://www.oracle.com/technetwork/database/security/index-095354.html