[20140506]rman加密备份.txt

[20140506]rman加密备份.txt

--昨天跟别人讨论,提到备份的安全性问题,需要预防别人拿到备份取出数据的问题.上午简单看了一下如何加密备份的问题.做一些简单测
--试.

SCOTT@test> @ver

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

1.先测试不加密的情况:
RMAN> show ENCRYPTION FOR DATABASE;
RMAN configuration parameters for database with db_unique_name TEST are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

RMAN> backup spfile format '/tmp/spfile%U.bak';
Starting backup at 2014-05-06 09:02:23
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=113 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:02:28
channel ORA_DISK_1: finished piece 1 at 2014-05-06 09:02:29
piece handle=/tmp/spfile05p7jf54_1_1.bak tag=TAG20140506T090227 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 2014-05-06 09:02:29

# strings spfile05p7jf54_1_1.bak | tail -4
*.sessions=400
*.standby_file_management='auto'
*.undo_tablespace='UNDOTBS1'
/u01/app/oracle11g/product/11.2.0/db_2/dbs/spfiletest.ora

--不加密可以看到备份里面的信息.

2.测试加密的情况:
RMAN> set encryption on identified by '123456';
executing command: SET encryption

RMAN> backup spfile format '/tmp/spfile%U.bak';

Starting backup at 2014-05-06 09:05:04
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:05:06
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 05/06/2014 09:05:07
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open

-要建立wallet,比较麻烦,我看了一下文档,后面加入参数only,就可以备份.

RMAN> set encryption on identified by '123456' only;
executing command: SET encryption

RMAN> backup spfile format '/tmp/spfile%U.bak';
Starting backup at 2014-05-06 09:06:24
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 2014-05-06 09:06:26
channel ORA_DISK_1: finished piece 1 at 2014-05-06 09:06:27
piece handle=/tmp/spfile07p7jfch_1_1.bak tag=TAG20140506T090625 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 2014-05-06 09:06:27

# strings /tmp/spfile07p7jfch_1_1.bak | tail -4
`thvQb
pFXB#
sq1Ha
tNH4

--可以发现加密后看不到备份的信息.

3.测试如何取出备份:

RMAN> set decryption identified by '123456';

executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore preview spfile from '/tmp/spfile07p7jfch_1_1.bak' ;
Starting restore at 2014-05-06 09:10:55
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK

Finished restore at 2014-05-06 09:10:58

RMAN> set decryption identified by 'a23456';
executing command: SET decryption

RMAN> restore preview spfile from '/tmp/spfile07p7jfch_1_1.bak' ;
Starting restore at 2014-05-06 09:11:45
using channel ORA_DISK_1
Finished restore at 2014-05-06 09:11:47

--昏密码不对也能解开吗?不过内容应该不正确.

4.真实解开测试看看.
RMAN> set decryption identified by 'a23456' ;
executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore  spfile to '/tmp/spfilea23456.ora' from '/tmp/spfile07p7jfch_1_1.bak';
Starting restore at 2014-05-06 09:16:06
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK
channel ORA_DISK_1: restoring spfile from AUTOBACKUP /tmp/spfile07p7jfch_1_1.bak
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/06/2014 09:16:10
ORA-19870: error while restoring backup piece /tmp/spfile07p7jfch_1_1.bak
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
--??难道要打开wallet.

RMAN> set decryption identified by '123456' ;
executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore  spfile to '/tmp/spfilea23456.ora' from '/tmp/spfile07p7jfch_1_1.bak';
Starting restore at 2014-05-06 09:17:05
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=210 device type=DISK
channel ORA_DISK_1: restoring spfile from AUTOBACKUP /tmp/spfile07p7jfch_1_1.bak
channel ORA_DISK_1: SPFILE restore from AUTOBACKUP complete
Finished restore at 2014-05-06 09:17:08
--密码正确,可以restore.

--看看内容是否正确:
# strings spfilea23456.ora | tail -4
*.remote_login_passwordfile='EXCLUSIVE'
*.sessions=400
*.standby_file_management='auto'
*.undo_tablespace='UNDOTBS1'

--ok正确.不建立wallet,通过执行set encryption on identified by 'xxxxxx' only;也可以加密,仅仅需要记住加密密码,备份脚本要保
--存好.