RMAN加密備份的三種方式

李行行丶發表於2022-03-19
加密

前言:為了資料備份的安全性,在某些特定的情況下我們需要對備份進行加密操作。一般是加密廠商或者Oracle自帶的加密方式進行加密。如果使用Oracle自帶的加密方式,顯然是增加了Oracle管理員的維護成本,如果使用廠商加密,一旦金鑰丟失,那麼恢復起來基本上就是不太可能的。但對於Oracle自帶的加密,如果金鑰丟失,還有一定的挽回方式。在我接觸的資料庫維護中,基本上很少使用加密備份的方式。
RMAN備份可以建立加密的備份集,加密方式分為三種模式
  • 透明模式
  • 口令模式
  • 雙體模式
透明模式和雙體模式要求將主金鑰存放錢包的安全檔案中,錢包的路徑由sqlnet.ora檔案生命
一:開啟錢包加密
##1.編輯sqlnet.ora檔案,新增以下內容,並建立對應的目錄
[oracle@orcl:/u01/app/oracle/product/12.2.0/db/network/admin]$ cat sqlnet.ora
ENCRYPTION_WALLET_LOCATION = (SOURCE =
                                  (METHOD = FILE)
                                  (METHOD_DATA =
                                  (DIRECTORY = /u01/app/oracle/product/12.2.0/db/lhh/wallet/)))
[oracle@orcl:/home/oracle]$ mkdir -p /u01/app/oracle/product/12.2.0/db/lhh/wallet
##2.建立錢包、設定其密碼,開啟錢包及在其內建立主金鑰
sys@ORCL 09:28:29> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "qwe123!@#";
System altered.
#設定完成之後生成一個ewallet.p12檔案,我們設定的密碼會存放到這個檔案中
[oracle@orcl:/u01/app/oracle/product/12.2.0/db/lhh/wallet]$ ll
total 4
-rw------- 1 oracle oinstall 2848 Mar 19 09:28 ewallet.p12
##3.檢視錢包是否已經開啟
sys@ORCL 09:31:35> select * from V$ENCRYPTION_WALLET;
WRL_TYPE   WRL_PARAMETER                                 STATUS     WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID
---------- --------------------------------------------- ---------- -------------------- --------- --------- ----------
FILE       /u01/app/oracle/product/12.2.0/db/lhh/wallet/ OPEN       PASSWORD             SINGLE    NO                 0
二:加密備份
##1.開啟備份加密功能
RMAN> set encryption on;
executing command: SET encryption
#指定演算法加密
RMAN> set encryption on using 'AES256';
executing command: SET encryption
#以下命令永久開啟透明模式加密功能或設定加密演算法
RMAN> configure encryption for database on;
RMAN> configure encryption algorithm 'AES256';
##2.測試透明加密備份

RMAN> set encryption on;
executing command: SET encryption
RMAN> backup tablespace users;
Starting backup at 19-MAR-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oradata/orcl/users01.dbf
input datafile file number=00002 name=/oradata/orcl/users02.dbf
channel ORA_DISK_1: starting piece 1 at 19-MAR-22
channel ORA_DISK_1: finished piece 1 at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T094108_k3bf5n7v_.bkp tag=TAG20220319T094108 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 19-MAR-22
Starting Control File and SPFILE Autobackup at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/autobackup/2022_03_19/o1_mf_s_1099734069_k3bf5ojb_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 19-MAR-22
#關閉錢包,嘗試恢復
sys@ORCL 09:42:45> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "qwe123!@#";
System altered.
還原過程提示錢包沒有開啟
RMAN> restore tablespace users;
Starting restore at 19-MAR-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: reading from backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T094108_k3bf5n7v_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 03/19/2022 09:43:34
ORA-19870: error while restoring backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T094108_k3bf5n7v_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
三:不開啟錢包的加密
##1.直接設定加密金鑰
#手工方式直接定義口令的加密備份方式,過程不需要開啟錢包,值需要給出匹配的口令即可
RMAN> set encryption on IDENTIFIED BY "qwe123!@#" only;
executing command: SET encryption
using target database control file instead of recovery catalog
##2.備份users表空間
RMAN> backup tablespace users;
Starting backup at 19-MAR-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=58 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oradata/orcl/users01.dbf
input datafile file number=00002 name=/oradata/orcl/users02.dbf
channel ORA_DISK_1: starting piece 1 at 19-MAR-22
channel ORA_DISK_1: finished piece 1 at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T102532_k3bhrwpf_.bkp tag=TAG20220319T102532 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 19-MAR-22
Starting Control File and SPFILE Autobackup at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/autobackup/2022_03_19/o1_mf_s_1099736733_k3bhrxx9_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 19-MAR-22
##不輸入金鑰進行還原操作提示ORA-19913
RMAN> restore tablespace users;
Starting restore at 19-MAR-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: reading from backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T102532_k3bhrwpf_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 03/19/2022 10:25:48
ORA-19870: error while restoring backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T102532_k3bhrwpf_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
#輸入密碼進行還原操作
RMAN> set decryption identified by "qwe123!@#";
RMAN> restore tablespace users;  
Starting restore at 19-MAR-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=42 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: reading from backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T102532_k3bhrwpf_.bkp
channel ORA_DISK_1: piece handle=/home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T102532_k3bhrwpf_.bkp tag=TAG20220319T102532
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 19-MAR-22
四:雙體備份模式
簡而言之:就是錢包處於開啟狀態,並且進行備份的時候手工指定一個金鑰,這樣恢復的過程中,只要錢包開啟或者輸入口令解密兩種方式選擇其一,就可以進行還原
#1.開啟錢包加密
idle 19-MAR-22> ALTER SYSTEM SET ENCRYPTION WALLET open IDENTIFIED BY "qwe123!@#";
#2.手工設定備份口令並備份users表空間
##這裡注意,手工指定的口令和錢包口令是不一致的
RMAN> set encryption identified by "123456";
executing command: SET encryption
RMAN> backup tablespace users;
Starting backup at 19-MAR-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oradata/orcl/users01.dbf
input datafile file number=00002 name=/oradata/orcl/users02.dbf
channel ORA_DISK_1: starting piece 1 at 19-MAR-22
channel ORA_DISK_1: finished piece 1 at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T105003_k3bk6vso_.bkp tag=TAG20220319T105003 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 19-MAR-22
Starting Control File and SPFILE Autobackup at 19-MAR-22
piece handle=/home/oracle/fra/ORCL/autobackup/2022_03_19/o1_mf_s_1099738204_k3bk6x1p_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 19-MAR-22
#3.關閉錢包並講資料庫啟動到mount狀態
idle 19-MAR-22> ALTER SYSTEM SET ENCRYPTION WALLET close IDENTIFIED BY "qwe123!@#";
idle 19-MAR-22> startup mount force
ORACLE instance started.
Total System Global Area 1493172224 bytes
Fixed Size                  8620896 bytes
Variable Size             788530336 bytes
Database Buffers          687865856 bytes
Redo Buffers                8155136 bytes
Database mounted.
#4.使用set decryption執行解密,並還原users表空間
##這裡我們使用的是手工輸入口令,輸入的是我們動態生成的金鑰
RMAN> set decryption identified by "123456";
executing command: SET decryption
RMAN> restore tablespace users;
Starting restore at 19-MAR-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=42 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/users02.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: reading from backup piece /home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T105003_k3bk6vso_.bkp
channel ORA_DISK_1: piece handle=/home/oracle/fra/ORCL/backupset/2022_03_19/o1_mf_nnndf_TAG20220319T105003_k3bk6vso_.bkp tag=TAG20220319T105003
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 19-MAR-22

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31462978/viewspace-2874054/,如需轉載,請註明出處,否則將追究法律責任。

相關文章