RMAN備份與恢復之加密備份

ORACLE從10g R2開始為備份提供加密功能，透過加密獲得的備份，可以保護備份檔案，防止備份洩露帶來的安全問題。

顯示當前資料庫的加密演算法：

SQL> select * from v$rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_ RES

------------ -------------------- ------------------------------ --- ---

1 AES128 AES 128-bit key YES NO

2 AES192 AES 192-bit key NO NO

3 AES256 AES 256-bit key NO NO

RMAN> show encryption algorithm;

using target database control file instead of recovery catalog

RMAN configuration parameters are:

CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

RMAN中更改加密演算法：

RMAN> configure encryption algorithm 'AES192';

口令模式加密

該加密方式透過在生成備份集是設定口令，在使用備份集時設定解密口令來實現對備份集的加密，適合轉存備份集時使用。

設定備份口令：

RMAN> set encryption on identified by 'oracle' only;

executing command: SET encryption

RMAN> run{

2> allocate channel c1 type disk format '/u01/rman_dest/rman_users_%p_%M-%D_%t.bak';

3> backup tablespace users channel c1;

4> release channel c1;

5> }

SQL> select file#,name from v$datafile;

FILE# NAME

---------- ------------------------------------------------

1 /u01/app/oracle/oradata/orcl_dup/system01.dbf

3 /u01/app/oracle/oradata/orcl_dup/sysaux01.dbf

4 /u01/app/oracle/oradata/orcl_dup/users01.dbf

5 /u01/app/oracle/oradata/orcl_dup/example01.dbf

6 /u01/app/oracle/oradata/orcl_dup/tts01.dbf

7 /u01/app/oracle/oradata/orcl_dup/tts02.dbf

8 /u01/app/oracle/oradata/orcl_dup/undotbs001.dbf

模擬損壞，進行測試

[oracle@node1 ~]$ rm -rf /u01/app/oracle/oradata/orcl_dup/users01.dbf

RMAN> shutdown abort;

using target database control file instead of recovery catalog

Oracle instance shut down

RMAN> startup mount;

connected to target database (not started)

Oracle instance started

database mounted

Total System Global Area 167772160 bytes

Fixed Size 1218316 bytes

Variable Size 88082676 bytes

Database Buffers 75497472 bytes

Redo Buffers 2973696 bytes

此時恢復資料檔案會提示wallet is not open錯誤

RMAN> restore datafile 4;

Starting restore at 09-JUL-14

allocated channel: ORA_DISK_1

channel ORA_DISK_1: sid=157 devtype=DISK

channel ORA_DISK_1: starting datafile backupset restore

channel ORA_DISK_1: specifying datafile(s) to restore from backup set

restoring datafile 00004 to /u01/app/oracle/oradata/orcl_dup/users01.dbf

channel ORA_DISK_1: reading from backup piece /u01/rman_dest/rman_users_1_07-09_852462004.bak

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 07/09/2014 11:05:00

ORA-19870: error reading backup piece /u01/rman_dest/rman_users_1_07-09_852462004.bak

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

指定解密密碼

RMAN> set decryption identified by 'oracle';

executing command: SET decryption

RMAN> restore datafile 4;

Starting restore at 09-JUL-14

using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backupset restore

channel ORA_DISK_1: specifying datafile(s) to restore from backup set

restoring datafile 00004 to /u01/app/oracle/oradata/orcl_dup/users01.dbf

channel ORA_DISK_1: reading from backup piece /u01/rman_dest/rman_users_1_07-09_852462004.bak

channel ORA_DISK_1: restored backup piece 1

piece handle=/u01/rman_dest/rman_users_1_07-09_852462004.bak tag=TAG20140709T110003

channel ORA_DISK_1: restore complete, elapsed time: 00:00:25

Finished restore at 09-JUL-14

RMAN> recover datafile 4;

Starting recover at 09-JUL-14

using channel ORA_DISK_1

starting media recovery

media recovery complete, elapsed time: 00:00:03

Finished recover at 09-JUL-14

RMAN> alter database open;

database opened

透明模式

該方式透過本地配置Wallet來實現本地備份集的安全，該加密方式適用於本地的備份安全維護。

Oracle Encryption Wallet的簡單使用配置：

SQLNET.ORA指定Wallet的地址

[oracle@node1 ~]$ cd $ORACLE_HOME/network/admin

[oracle@node1 admin]$ visqlnet.ora

設定Wallet地址：

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/wallet)))

[oracle@node1 admin]$ mkdir -p /u01/wallet

SYS使用者建立wallet

SQL> alter system set encryption key authenticated by "oracle";

System altered.

SQL> !ls /u01/wallet

ewallet.p12

開啟關閉Wallet的方法

SQL> alter system set encryption wallet open identified by "oracle";

System altered.

SQL> alter system set encryption wallet close;

System altered.

RMAN> configure encryption for database on;

new RMAN configuration parameters:

CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters are successfully stored

RMAN> set encryption on;

executing command: SET encryption

此時如果關閉wallet，去備份資料庫會報如下錯誤

RMAN> backup database format '/u01/rman_dest/orcl_whole_back_%p_%M-%D_%t.bak';

Starting backup at 09-JUL-14

using channel ORA_DISK_1

channel ORA_DISK_1: starting full datafile backupset

channel ORA_DISK_1: specifying datafile(s) in backupset

input datafile fno=00001 name=/u01/app/oracle/oradata/orcl_dup/system01.dbf

input datafile fno=00003 name=/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf

input datafile fno=00004 name=/u01/app/oracle/oradata/orcl_dup/users01.dbf

input datafile fno=00005 name=/u01/app/oracle/oradata/orcl_dup/example01.dbf

input datafile fno=00008 name=/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf

input datafile fno=00006 name=/u01/app/oracle/oradata/orcl_dup/tts01.dbf

input datafile fno=00007 name=/u01/app/oracle/oradata/orcl_dup/tts02.dbf

channel ORA_DISK_1: starting piece 1 at 09-JUL-14

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03009: failure of backup command on ORA_DISK_1 channel at 07/09/2014 15:49:07

ORA-19914: unable to encrypt backup

ORA-28365: wallet is not open

開啟wallet，再次執行備份即可