rman加密备份(口令、TDE透明、混合)

rman加密

  1. 口令加密,就像输入密码一样

  2. TDE透明加密,适合本地加密和恢复

  3. 混合加密,两者混合

加密模式

SQL> col ALGORITHM_NAME for a20;
SQL> col ALGORITHM_DESCRIPTION for a30;
SQL> set linesize 200;
SQL> select * from v$rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME       ALGORITHM_DESCRIPTION          IS_ RES     CON_ID
------------ -------------------- ------------------------------ --- --- ----------
           1 AES128               AES 128-bit key                YES NO           0
           2 AES192               AES 192-bit key                NO  NO           0
           3 AES256               AES 256-bit key                NO  NO           0



口令加密

以下是使用密码加密备份:

1、 set encryption on identified by 'oracle' only;

2、 backup database;

3、 删除一个数据文件,然后 shutdown abort

4、 重启时会报错

5、 使用 rman 恢复时提示钱包没有打开

6、 set decryption identified by 'oracle';

7、 restore datafile 2,recover datafile2;

8、 成功。

例子:

RMAN> show all
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default


#启用加密
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored


#查看
RMAN> show encryption for database;

RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE ON;



#only表示只以口令的方式加密,设置口令oracle
RMAN> set encryption on identified by 'oracle' only;

executing command: SET encryption

#备份表空间,然后关库
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
RMAN> shutdown abort;

#删除物理文件
[oracle@db2 ~]$ rm -f /u01/app/oracle/oradata/ORCL/users01.dbf

#缺文件,启动报错
RMAN> startup;
connected to target database (not started)
Oracle instance started
database mounted
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of startup command at 05/11/2022 16:17:25
ORA-01157: cannot identify/lock data file 7 - see DBWR trace file
ORA-01110: data file 7: '/u01/app/oracle/oradata/ORCL/users01.dbf'

#restore报错,提示钱包没有打开
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=622 device type=DISK

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_438
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 16:19:28
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_438
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open


#设置解密口令
RMAN> set decryption identified by 'oracle';

executing command: SET decryption


#restore正常
RMAN> restore tablespace users;
RMAN> recover tablespace users;

RMAN> alter database open;

Statement processed

TDE透明加密

适合本地备份本地恢复

透明(Transparent)模式 默认的加密方式,比较适合于同一服务器进行的备份和恢复,换台

服务器就无法识别了,因为缺少必备的密钥。 这种方法不需要设置密码,很适合在本地的

备份与恢复,如果备份不需要传到其他的机器上, 建议采用这样的加密方法。因为不需要

密码,只需要配置加密/解密信任书,也就是 Oracle Encryption Wallet. 创建使用步骤例子:

1、创建钱包

2、打开钱包

RMAN> sql 'alter system set wallet open identified by oracle';

3、设置加密备份

RMAN> configure encryption for database on;

4、备份数据库

5、在 restore 数据库前要确保钱包打开

RMAN> sql 'alter system set wallet open identified by oracle';

6、restore 数据库

例子

#wallet配置
/u01/app/oracle/product/19.3/dbhome_1/network/admin/sqlnet.ora
中加入条目
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
    (DIRECTORY=/u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet)))

#确保目录存在
mkdir /u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet

#创建mster key
SQL> alter system set key identified by "welcome1";


#打开钱夹
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
System altered.
关闭钱夹:ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "welcome1";

#wallet创建好之后,rman备份可以用Wallet选项来备份。
RMAN> configure encryption for database on;
RMAN> set encryption on;

#备份,关库,关库之后钱夹也会close,恢复时要打开
backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf

#启动报错
startup

#restore显示钱夹未打开
RMAN> restore tablespace users;

Starting restore at 11-MAY-22
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 17:26:56
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_439
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open


#打开钱夹,正常恢复
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";

Statement processed

RMAN> restore tablespace users;

Starting restore at 11-MAY-22
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
channel ORA_DISK_1: piece handle=/tmp/test/user_ORCL_439 tag=TAG20220511T172058
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 11-MAY-22

RMAN> recover tablespace users;

startup

修改wallet密码:

1.命令修改:

$orapki wallet change_pwd -wallet /u01/key -oldpwd oracle123 -newpwd oracle456

2.图形化工具owm

wallet——open打开wallet文件夹,然后就想相关设置

混合加密

也就是本地使用TDE,异地恢复使用口令

例子

RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

#不加only
RMAN> set encryption on identified by 'oracle';

#确保钱夹配置并打开
SELECT * FROM v$encryption_wallet;
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle;#重新打开


#备份表空间,关库,删除数据文件
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf

#startup正常报错
startup

#restore
RMAN> restore tablespace users;

从位于 11-5月 -22 的 restore 开始
使用通道 ORA_DISK_1

通道 ORA_DISK_1: 正在开始还原数据文件备份集
通道 ORA_DISK_1: 正在指定从备份集还原的数据文件
通道 ORA_DISK_1: 将数据文件 00007 还原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在读取备份片段 /tmp/test/user_ORCL_68
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: 位于 05/11/2022 20:52:27 的 restore 命令失败
ORA-19870: 还原备份片段 /tmp/test/user_ORCL_68 时出错
ORA-19913: 无法解密备份
ORA-28365: Wallet 未打开


#设置口令来恢复(注意这里重启后钱夹时关的,也就侧面证明异机用钱包恢复)
RMAN> set decryption identified by 'oracle';

正在执行命令: SET decryption

#正常还原
RMAN> restore tablespace users;

从位于 11-5月 -22 的 restore 开始
使用通道 ORA_DISK_1

通道 ORA_DISK_1: 正在开始还原数据文件备份集
通道 ORA_DISK_1: 正在指定从备份集还原的数据文件
通道 ORA_DISK_1: 将数据文件 00007 还原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在读取备份片段 /tmp/test/user_ORCL_73
通道 ORA_DISK_1: 片段句柄 = /tmp/test/user_ORCL_73 标记 = TAG20220511T210214
通道 ORA_DISK_1: 已还原备份片段 1
通道 ORA_DISK_1: 还原完成, 用时: 00:00:01
在 11-5月 -22 完成了 restore
RMAN> recover tablespace users;
RMAN> alter database open;


posted @ 2022-05-11 21:23  EverEternity  阅读(513)  评论(0编辑  收藏  举报