[20140506]rman加密備份.txt

lfree發表於2014-05-06
加密

[20140506]rman加密備份.txt

--昨天跟別人討論,提到備份的安全性問題,需要預防別人拿到備份取出資料的問題.上午簡單看了一下如何加密備份的問題.做一些簡單測
--試.

SCOTT@test> @ver

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production


1.先測試不加密的情況:
RMAN> show ENCRYPTION FOR DATABASE;
RMAN configuration parameters for database with db_unique_name TEST are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

RMAN> backup spfile format '/tmp/spfile%U.bak';
Starting backup at 2014-05-06 09:02:23
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=113 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:02:28
channel ORA_DISK_1: finished piece 1 at 2014-05-06 09:02:29
piece handle=/tmp/spfile05p7jf54_1_1.bak tag=TAG20140506T090227 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 2014-05-06 09:02:29

# strings spfile05p7jf54_1_1.bak | tail -4
*.sessions=400
*.standby_file_management='auto'
*.undo_tablespace='UNDOTBS1'
/u01/app/oracle11g/product/11.2.0/db_2/dbs/spfiletest.ora

--不加密可以看到備份裡面的資訊.


2.測試加密的情況:
RMAN> set encryption on identified by '123456';
executing command: SET encryption

RMAN> backup spfile format '/tmp/spfile%U.bak';

Starting backup at 2014-05-06 09:05:04
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:05:06
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 05/06/2014 09:05:07
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open

-要建立wallet,比較麻煩,我看了一下文件,後面加入引數only,就可以備份.

RMAN> set encryption on identified by '123456' only;
executing command: SET encryption

RMAN> backup spfile format '/tmp/spfile%U.bak';
Starting backup at 2014-05-06 09:06:24
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:06:26
channel ORA_DISK_1: finished piece 1 at 2014-05-06 09:06:27
piece handle=/tmp/spfile07p7jfch_1_1.bak tag=TAG20140506T090625 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 2014-05-06 09:06:27

# strings /tmp/spfile07p7jfch_1_1.bak | tail -4
`thvQb
pFXB#
sq1Ha
tNH4

--可以發現加密後看不到備份的資訊.

3.測試如何取出備份:

RMAN> set decryption identified by '123456';

executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore preview spfile from '/tmp/spfile07p7jfch_1_1.bak' ;
Starting restore at 2014-05-06 09:10:55
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK

Finished restore at 2014-05-06 09:10:58


RMAN> set decryption identified by 'a23456';
executing command: SET decryption

RMAN> restore preview spfile from '/tmp/spfile07p7jfch_1_1.bak' ;
Starting restore at 2014-05-06 09:11:45
using channel ORA_DISK_1
Finished restore at 2014-05-06 09:11:47

--昏密碼不對也能解開嗎?不過內容應該不正確.

4.真實解開測試看看.
RMAN> set decryption identified by 'a23456' ;
executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore  spfile to '/tmp/spfilea23456.ora' from '/tmp/spfile07p7jfch_1_1.bak';
Starting restore at 2014-05-06 09:16:06
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK
channel ORA_DISK_1: restoring spfile from AUTOBACKUP /tmp/spfile07p7jfch_1_1.bak
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/06/2014 09:16:10
ORA-19870: error while restoring backup piece /tmp/spfile07p7jfch_1_1.bak
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
--??難道要開啟wallet.

RMAN> set decryption identified by '123456' ;
executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore  spfile to '/tmp/spfilea23456.ora' from '/tmp/spfile07p7jfch_1_1.bak';
Starting restore at 2014-05-06 09:17:05
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK
channel ORA_DISK_1: restoring spfile from AUTOBACKUP /tmp/spfile07p7jfch_1_1.bak
channel ORA_DISK_1: SPFILE restore from AUTOBACKUP complete
Finished restore at 2014-05-06 09:17:08
--密碼正確,可以restore.

--看看內容是否正確:
# strings spfilea23456.ora | tail -4
*.remote_login_passwordfile='EXCLUSIVE'
*.sessions=400
*.standby_file_management='auto'
*.undo_tablespace='UNDOTBS1'

--ok正確.不建立wallet,透過執行set encryption on identified by 'xxxxxx' only;也可以加密,僅僅需要記住加密密碼,備份指令碼要保
--存好.

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-1154736/,如需轉載,請註明出處,否則將追究法律責任。

相關文章