rman加密備份(口令、TDE透明、混合)
rman加密
-
口令加密,就像輸入密碼一樣
-
TDE透明加密,適合本地加密和恢復
-
混合加密,兩者混合
加密模式
SQL> col ALGORITHM_NAME for a20; SQL> col ALGORITHM_DESCRIPTION for a30; SQL> set linesize 200; SQL> select * from v$rman_encryption_algorithms; ALGORITHM_ID ALGORITHM_NAME ALGORITHM_DESCRIPTION IS_ RES CON_ID ------------ -------------------- ------------------------------ --- --- ---------- 1 AES128 AES 128-bit key YES NO 0 2 AES192 AES 192-bit key NO NO 0 3 AES256 AES 256-bit key NO NO 0
口令加密
以下是使用密碼加密備份:
1、 set encryption on identified by 'oracle' only;
2、 backup database;
3、 刪除一個數據檔案,然後 shutdown abort
4、 重啟時會報錯
5、 使用 rman 恢復時提示錢包沒有開啟
6、 set decryption identified by 'oracle';
7、 restore datafile 2,recover datafile2;
8、 成功。
例子:
RMAN> show all CONFIGURE ENCRYPTION FOR DATABASE OFF; # default CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default #啟用加密 RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored #檢視 RMAN> show encryption for database; RMAN configuration parameters for database with db_unique_name ORCL are: CONFIGURE ENCRYPTION FOR DATABASE ON; #only表示只以口令的方式加密,設定口令oracle RMAN> set encryption on identified by 'oracle' only; executing command: SET encryption #備份表空間,然後關庫 RMAN> backup tablespace users format '/tmp/test/user_%d_%s'; RMAN> shutdown abort; #刪除物理檔案 [oracle@db2 ~]$ rm -f /u01/app/oracle/oradata/ORCL/users01.dbf #缺檔案,啟動報錯 RMAN> startup; connected to target database (not started) Oracle instance started database mounted RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of startup command at 05/11/2022 16:17:25 ORA-01157: cannot identify/lock data file 7 - see DBWR trace file ORA-01110: data file 7: '/u01/app/oracle/oradata/ORCL/users01.dbf' #restore報錯,提示錢包沒有開啟 RMAN> restore tablespace users; Starting restore at 11-MAY-22 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=622 device type=DISK channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_438 RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: =========================================================== RMAN-03002: failure of restore command at 05/11/2022 16:19:28 ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_438 ORA-19913: unable to decrypt backup ORA-28365: wallet is not open #設定解密口令 RMAN> set decryption identified by 'oracle'; executing command: SET decryption #restore正常 RMAN> restore tablespace users; RMAN> recover tablespace users; RMAN> alter database open; Statement processed
TDE透明加密
適合本地備份本地恢復
透明(Transparent)模式 預設的加密方式,比較適合於同一伺服器進行的備份和恢復,換臺
伺服器就無法識別了,因為缺少必備的金鑰。 這種方法不需要設定密碼,很適合在本地的
備份與恢復,如果備份不需要傳到其他的機器上, 建議採用這樣的加密方法。因為不需要
密碼,只需要配置加密/解密信任書,也就是 Oracle Encryption Wallet. 建立使用步驟例子:
1、建立錢包
2、開啟錢包
RMAN> sql 'alter system set wallet open identified by oracle';
3、設定加密備份
RMAN> configure encryption for database on;
4、備份資料庫
5、在 restore 資料庫前要確保錢包開啟
RMAN> sql 'alter system set wallet open identified by oracle';
6、restore 資料庫
例子
#wallet配置
/u01/app/oracle/product/19.3/dbhome_1/network/admin/sqlnet.ora
中加入條目
ENCRYPTION_WALLET_LOCATION=
(SOURCE=(METHOD=FILE)(METHOD_DATA=
(DIRECTORY=/u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet)))
#確保目錄存在
mkdir /u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet
#建立mster key
SQL> alter system set key identified by "welcome1";
#開啟錢夾
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
System altered.
關閉錢夾:ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "welcome1";
#wallet建立好之後,rman備份可以用Wallet選項來備份。
RMAN> configure encryption for database on;
RMAN> set encryption on;
#備份,關庫,關庫之後錢夾也會close,恢復時要開啟
backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf
#啟動報錯
startup
#restore顯示錢夾未開啟
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 17:26:56
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_439
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
#開啟錢夾,正常恢復
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
Statement processed
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
channel ORA_DISK_1: piece handle=/tmp/test/user_ORCL_439 tag=TAG20220511T172058
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 11-MAY-22
RMAN> recover tablespace users;
startup
修改wallet密碼:
1.命令修改:
$orapki wallet change_pwd -wallet /u01/key -oldpwd oracle123 -newpwd oracle456
2.圖形化工具owm
wallet——open開啟wallet資料夾,然後就想相關設定
混合加密
也就是本地使用TDE,異地恢復使用口令
例子
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;
#不加only
RMAN> set encryption on identified by 'oracle';
#確保錢夾配置並開啟
SELECT * FROM v$encryption_wallet;
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle;#重新開啟
#備份表空間,關庫,刪除資料檔案
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf
#startup正常報錯
startup
#restore
RMAN> restore tablespace users;
從位於 11-5月 -22 的 restore 開始
使用通道 ORA_DISK_1
通道 ORA_DISK_1: 正在開始還原資料檔案備份集
通道 ORA_DISK_1: 正在指定從備份集還原的資料檔案
通道 ORA_DISK_1: 將資料檔案 00007 還原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在讀取備份片段 /tmp/test/user_ORCL_68
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: 位於 05/11/2022 20:52:27 的 restore 命令失敗
ORA-19870: 還原備份片段 /tmp/test/user_ORCL_68 時出錯
ORA-19913: 無法解密備份
ORA-28365: Wallet 未開啟
#設定口令來恢復(注意這裡重啟後錢夾時關的,也就側面證明異機用錢包恢復)
RMAN> set decryption identified by 'oracle';
正在執行命令: SET decryption
#正常還原
RMAN> restore tablespace users;
從位於 11-5月 -22 的 restore 開始
使用通道 ORA_DISK_1
通道 ORA_DISK_1: 正在開始還原資料檔案備份集
通道 ORA_DISK_1: 正在指定從備份集還原的資料檔案
通道 ORA_DISK_1: 將資料檔案 00007 還原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在讀取備份片段 /tmp/test/user_ORCL_73
通道 ORA_DISK_1: 片段控制代碼 = /tmp/test/user_ORCL_73 標記 = TAG20220511T210214
通道 ORA_DISK_1: 已還原備份片段 1
通道 ORA_DISK_1: 還原完成, 用時: 00:00:01
在 11-5月 -22 完成了 restore
RMAN> recover tablespace users;
RMAN> alter database open;