For improved security, you can configure backup encryption for RMAN backup sets. Encrypted backups cannot be read if they are obtained by unauthorized users. This feature requires the Enterprise Edition of the database.
If no encryption algorithm is specified, then the default encryption algorithm is bit Advanced Encryption Standard AES. This is the default mode and uses the Oracle wallet. A wallet is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.
This mode uses only password protection. You must provide a password when creating and restoring encrypted backups. Encrypted backups are decrypted automatically during restore and recovery, if the required decryption keys are available.
Each backup set gets a separate key. The key is stored in encrypted form in the backup piece. The backup is decrypted with keys obtained with a user-supplied password or the Oracle wallet.
The data is never decrypted during any part of the operation. Transparent encryption can create and restore encrypted backups with no DBA intervention, as long as the required Oracle key management infrastructure is available. Transparent encryption is best suited for day-to-day backup operations, where backups are restored to the same database from which they were created. Transparent encryption is the default for RMAN encryption.
When you use transparent encryption, you must first configure an Oracle wallet for each database, as described in Oracle Database Advanced Security Administrator's Guide. Transparent backup encryption supports both the encrypted and autologin forms of the Oracle wallet. When you use the Oracle wallet, the wallet must be opened before you can perform backup encryption.
When you use the autologin wallet, encrypted backup operations can be done at any time, because the autologin wallet is always open. After the Oracle wallet is configured, encrypted backups can be created and restored with no further DBA intervention. If some columns in the database are encrypted with transparent data encryption, and if those columns are backed up using backup encryption, then those columns are encrypted a second time during the backup.
When the backup sets are decrypted during a restore operation, the encrypted columns are returned to their original encrypted form. Because the Oracle key management infrastructure archives all previous master keys in the Oracle wallet, changing or resetting the current database master key does not affect your ability to restore encrypted backups performed with an older master key. You can reset the database master key at any time.
RMAN can restore all encrypted backups that were ever created by this database. Password encryption requires that the DBA provide a password when creating and restoring encrypted backups. Restoring a password-encrypted backup requires the same password that was used to create the backup. Password encryption is useful for backups that are restored at remote locations, but which must remain secure in transit. Password encryption cannot be persistently configured.
You do not need to configure an Oracle wallet if password encryption is used exclusively. Dual-mode encrypted backups can be restored either transparently or by specifying a password. Dual-mode encrypted backups are useful when you create backups that are normally restored on site using the Oracle wallet, but which occasionally must be restored offsite, where the Oracle wallet is not available.
When restoring a dual-mode encrypted backup, you can use either the Oracle wallet or a password for decryption. You can use the command to specify the following:. Set a password for backup encryption, persisting until the RMAN client exits. Using or not using persistent configuration settings controls whether archived redo log backups are encrypted.
Backup sets containing archived redo log files are encrypted if any of the following are true:. This behavior ensures that the redo associated with any encrypted backup of a data file is also encrypted. To configure the environment so that all RMAN backups are encrypted:. At this stage, all RMAN backup sets created by this database use transparent encryption by default. You can explicitly override the persistent encryption configuration for an RMAN session with the following command:.
The default algorithm is AES bit. To configure the default backup encryption algorithm:. Feel free to ask questions on our Oracle forum. Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.
Oracle technology is changing and we strive to update our BC Oracle support information. You can use the automatic channel allocation feature to configure a set of persistent, automatic channels for use in all RMAN sessions. You can use the manual channel allocation feature to specify channels for commands used within a RUN block. You can override automatic channel allocation settings by manually allocating channels within a RUN block.
Manual channels always override automatic channels. For example, you override automatic channel allocation when you issue a command as follows:.
RMAN optimizes automatic channel allocation by leaving automatic channels allocated so long as each new command requires exactly the same channel configuration as the previous command. For example, RMAN can use the same preallocated channels for the following series of commands:.
For example, if you configure parallelism to 3 for a device type, then RMAN allocates three channels for the device type when using automatic channels. The parallelism setting defines the number of channels for a device that RMAN allocates in parallel. It does not have to correspond to the actual number of channels configured for the device.
For example:. For example, you may make backups to tape most of the time and only occasionally make a backup to disk. In this case, configure channels for disk and tape devices, but make sbt the default device type:.
Now, RMAN will, by default, use sbt channels for backups. For example, if you run the following command:. RMAN only allocates channels of type sbt during the backup because sbt is the default device. Note that you do not have to manually allocate a disk channel because RMAN uses the preconfigured disk channel. When crosschecking on multiple nodes and when operating RMAN in general , configure the cluster so that all backups can be accessed by every node, regardless of which node created the backup.
When the cluster is configured this way, you can allocate channels at any node in the cluster during restore or crosscheck operations. If some backups are not accessible during crosscheck because no channel was configured on the node that can access those backups, then those backups are marked EXPIRED in the RMAN repository after the crosscheck.
In this example, assume a RAC cluster with two nodes, each one of which requires a channel to access some backups for the crosscheck. You configure the channels as shown here:. You can also perform deletions on all allocated channels.
0コメント