rman加密备份(口令、TDE透明、混合)
rman加密
-
口令加密,就像输入密码一样
-
TDE透明加密,适合本地加密和恢复
-
混合加密,两者混合
加密模式
SQL> col ALGORITHM_NAME for a20;
SQL> col ALGORITHM_DESCRIPTION for a30;
SQL> set linesize 200;
SQL> select * from v$rman_encryption_algorithms;
ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_ RES CON_ID
------------ -------------------- ------------------------------ --- --- ----------
1 AES128 AES 128-bit key YES NO 0
2 AES192 AES 192-bit key NO NO 0
3 AES256 AES 256-bit key NO NO 0
口令加密
以下是使用密码加密备份:
1、 set encryption on identified by 'oracle' only;
2、 backup database;
3、 删除一个数据文件,然后 shutdown abort
4、 重启时会报错
5、 使用 rman 恢复时提示钱包没有打开
6、 set decryption identified by 'oracle';
7、 restore datafile 2,recover datafile2;
8、 成功。
例子:
RMAN> show all
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
#启用加密
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored
#查看
RMAN> show encryption for database;
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE ON;
#only表示只以口令的方式加密,设置口令oracle
RMAN> set encryption on identified by 'oracle' only;
executing command: SET encryption
#备份表空间,然后关库
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
RMAN> shutdown abort;
#删除物理文件
[oracle@db2 ~]$ rm -f /u01/app/oracle/oradata/ORCL/users01.dbf
#缺文件,启动报错
RMAN> startup;
connected to target database (not started)
Oracle instance started
database mounted
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of startup command at 05/11/2022 16:17:25
ORA-01157: cannot identify/lock data file 7 - see DBWR trace file
ORA-01110: data file 7: '/u01/app/oracle/oradata/ORCL/users01.dbf'
#restore报错,提示钱包没有打开
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=622 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_438
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 16:19:28
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_438
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
#设置解密口令
RMAN> set decryption identified by 'oracle';
executing command: SET decryption
#restore正常
RMAN> restore tablespace users;
RMAN> recover tablespace users;
RMAN> alter database open;
Statement processed
TDE透明加密
适合本地备份本地恢复
透明(Transparent)模式 默认的加密方式,比较适合于同一服务器进行的备份和恢复,换台
服务器就无法识别了,因为缺少必备的密钥。 这种方法不需要设置密码,很适合在本地的
备份与恢复,如果备份不需要传到其他的机器上, 建议采用这样的加密方法。因为不需要
密码,只需要配置加密/解密信任书,也就是 Oracle Encryption Wallet. 创建使用步骤例子:
1、创建钱包
2、打开钱包
RMAN> sql 'alter system set wallet open identified by oracle';
3、设置加密备份
RMAN> configure encryption for database on;
4、备份数据库
5、在 restore 数据库前要确保钱包打开
RMAN> sql 'alter system set wallet open identified by oracle';
6、restore 数据库
例子
#wallet配置
/u01/app/oracle/product/19.3/dbhome_1/network/admin/sqlnet.ora
中加入条目
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet)))
#确保目录存在
mkdir /u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet
#创建mster key
SQL> alter system set key identified by "welcome1";
#打开钱夹
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
System altered.
关闭钱夹:ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "welcome1";
#wallet创建好之后,rman备份可以用Wallet选项来备份。
RMAN> configure encryption for database on;
RMAN> set encryption on;
#备份,关库,关库之后钱夹也会close,恢复时要打开
backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf
#启动报错
startup
#restore显示钱夹未打开
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 17:26:56
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_439
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
#打开钱夹,正常恢复
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
Statement processed
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
channel ORA_DISK_1: piece handle=/tmp/test/user_ORCL_439 tag=TAG20220511T172058
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 11-MAY-22
RMAN> recover tablespace users;
startup
修改wallet密码:
1.命令修改:
$orapki wallet change_pwd -wallet /u01/key -oldpwd oracle123 -newpwd oracle456
2.图形化工具owm
wallet——open打开wallet文件夹,然后就想相关设置
混合加密
也就是本地使用TDE,异地恢复使用口令
例子
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
#不加only
RMAN> set encryption on identified by 'oracle';
#确保钱夹配置并打开
SELECT * FROM v$encryption_wallet;
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle;#重新打开
#备份表空间,关库,删除数据文件
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf
#startup正常报错
startup
#restore
RMAN> restore tablespace users;
从位于 11-5月 -22 的 restore 开始
使用通道 ORA_DISK_1
通道 ORA_DISK_1: 正在开始还原数据文件备份集
通道 ORA_DISK_1: 正在指定从备份集还原的数据文件
通道 ORA_DISK_1: 将数据文件 00007 还原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在读取备份片段 /tmp/test/user_ORCL_68
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: 位于 05/11/2022 20:52:27 的 restore 命令失败
ORA-19870: 还原备份片段 /tmp/test/user_ORCL_68 时出错
ORA-19913: 无法解密备份
ORA-28365: Wallet 未打开
#设置口令来恢复(注意这里重启后钱夹时关的,也就侧面证明异机用钱包恢复)
RMAN> set decryption identified by 'oracle';
正在执行命令: SET decryption
#正常还原
RMAN> restore tablespace users;
从位于 11-5月 -22 的 restore 开始
使用通道 ORA_DISK_1
通道 ORA_DISK_1: 正在开始还原数据文件备份集
通道 ORA_DISK_1: 正在指定从备份集还原的数据文件
通道 ORA_DISK_1: 将数据文件 00007 还原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在读取备份片段 /tmp/test/user_ORCL_73
通道 ORA_DISK_1: 片段句柄 = /tmp/test/user_ORCL_73 标记 = TAG20220511T210214
通道 ORA_DISK_1: 已还原备份片段 1
通道 ORA_DISK_1: 还原完成, 用时: 00:00:01
在 11-5月 -22 完成了 restore
RMAN> recover tablespace users;
RMAN> alter database open;