• rman加密
• 口令加密
  • 例子：
• TDE透明加密
  • 例子
  • 修改wallet密碼：
• 混合加密
  • 例子

rman加密

1. 口令加密，就像輸入密碼一樣

2. TDE透明加密,適合本地加密和恢復

3. 混合加密,兩者混合

加密模式

SQL> col ALGORITHM_NAME for a20;
SQL> col ALGORITHM_DESCRIPTION for a30;
SQL> set linesize 200;
SQL> select * from v$rman_encryption_algorithms;

ALGORITHM_ID ALGORITHM_NAME       ALGORITHM_DESCRIPTION          IS_ RES     CON_ID
------------ -------------------- ------------------------------ --- --- ----------
           1 AES128               AES 128-bit key                YES NO           0
           2 AES192               AES 192-bit key                NO  NO           0
           3 AES256               AES 256-bit key                NO  NO           0



 

口令加密

以下是使用密碼加密備份：

1、 set encryption on identified by 'oracle' only;

2、 backup database；

3、 刪除一個數據檔案，然後 shutdown abort

4、 重啟時會報錯

5、 使用 rman 恢復時提示錢包沒有開啟

6、 set decryption identified by 'oracle';

7、 restore datafile 2，recover datafile2;

8、 成功。

例子：

RMAN> show all
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default


#啟用加密
RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored


#檢視
RMAN> show encryption for database;

RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE ON;



#only表示只以口令的方式加密，設定口令oracle
RMAN> set encryption on identified by 'oracle' only;

executing command: SET encryption

#備份表空間，然後關庫
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
RMAN> shutdown abort;

#刪除物理檔案
[oracle@db2 ~]$ rm -f /u01/app/oracle/oradata/ORCL/users01.dbf

#缺檔案，啟動報錯
RMAN> startup;
connected to target database (not started)
Oracle instance started
database mounted
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of startup command at 05/11/2022 16:17:25
ORA-01157: cannot identify/lock data file 7 - see DBWR trace file
ORA-01110: data file 7: '/u01/app/oracle/oradata/ORCL/users01.dbf'

#restore報錯，提示錢包沒有開啟
RMAN> restore tablespace users;
Starting restore at 11-MAY-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=622 device type=DISK

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_438
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 16:19:28
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_438
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open


#設定解密口令
RMAN> set decryption identified by 'oracle';

executing command: SET decryption


#restore正常
RMAN> restore tablespace users;
RMAN> recover tablespace users;

RMAN> alter database open;

Statement processed

 

TDE透明加密

適合本地備份本地恢復

透明（Transparent）模式 預設的加密方式，比較適合於同一伺服器進行的備份和恢復，換臺

伺服器就無法識別了，因為缺少必備的金鑰。 這種方法不需要設定密碼，很適合在本地的

備份與恢復，如果備份不需要傳到其他的機器上， 建議採用這樣的加密方法。因為不需要

密碼，只需要配置加密/解密信任書，也就是 Oracle Encryption Wallet. 建立使用步驟例子：

1、建立錢包

2、開啟錢包

RMAN> sql 'alter system set wallet open identified by oracle';

3、設定加密備份

RMAN> configure encryption for database on;

4、備份資料庫

5、在 restore 資料庫前要確保錢包開啟

RMAN> sql 'alter system set wallet open identified by oracle';

6、restore 資料庫

例子

#wallet配置
/u01/app/oracle/product/19.3/dbhome_1/network/admin/sqlnet.ora
中加入條目
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
    (DIRECTORY=/u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet)))

#確保目錄存在
mkdir /u01/app/oracle/product/19.3/dbhome_1/network/admin/wallet

#建立mster key
SQL> alter system set key identified by "welcome1";


#開啟錢夾
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";
System altered.
關閉錢夾：ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "welcome1";

#wallet建立好之後,rman備份可以用Wallet選項來備份。
RMAN> configure encryption for database on;
RMAN> set encryption on;

#備份，關庫,關庫之後錢夾也會close，恢復時要開啟
backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf

#啟動報錯
startup

#restore顯示錢夾未開啟
RMAN> restore tablespace users;

Starting restore at 11-MAY-22
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 05/11/2022 17:26:56
ORA-19870: error while restoring backup piece /tmp/test/user_ORCL_439
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open


#開啟錢夾，正常恢復
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "welcome1";

Statement processed

RMAN> restore tablespace users;

Starting restore at 11-MAY-22
using channel ORA_DISK_1

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00007 to /u01/app/oracle/oradata/ORCL/users01.dbf
channel ORA_DISK_1: reading from backup piece /tmp/test/user_ORCL_439
channel ORA_DISK_1: piece handle=/tmp/test/user_ORCL_439 tag=TAG20220511T172058
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
Finished restore at 11-MAY-22

RMAN> recover tablespace users;

startup

修改wallet密碼：

1.命令修改：

$orapki wallet change_pwd -wallet /u01/key -oldpwd oracle123 -newpwd oracle456

2.圖形化工具owm

wallet——open開啟wallet資料夾,然後就想相關設定

混合加密

也就是本地使用TDE，異地恢復使用口令

例子

RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

#不加only
RMAN> set encryption on identified by 'oracle';

#確保錢夾配置並開啟
SELECT * FROM v$encryption_wallet;
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY oracle;#重新開啟


#備份表空間，關庫，刪除資料檔案
RMAN> backup tablespace users format '/tmp/test/user_%d_%s';
shutdown abort
rm -f users01.dbf

#startup正常報錯
startup

#restore
RMAN> restore tablespace users;

從位於 11-5月 -22 的 restore 開始
使用通道 ORA_DISK_1

通道 ORA_DISK_1: 正在開始還原資料檔案備份集
通道 ORA_DISK_1: 正在指定從備份集還原的資料檔案
通道 ORA_DISK_1: 將資料檔案 00007 還原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在讀取備份片段 /tmp/test/user_ORCL_68
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: 位於 05/11/2022 20:52:27 的 restore 命令失敗
ORA-19870: 還原備份片段 /tmp/test/user_ORCL_68 時出錯
ORA-19913: 無法解密備份
ORA-28365: Wallet 未開啟


#設定口令來恢復（注意這裡重啟後錢夾時關的，也就側面證明異機用錢包恢復）
RMAN> set decryption identified by 'oracle';

正在執行命令: SET decryption

#正常還原
RMAN> restore tablespace users;

從位於 11-5月 -22 的 restore 開始
使用通道 ORA_DISK_1

通道 ORA_DISK_1: 正在開始還原資料檔案備份集
通道 ORA_DISK_1: 正在指定從備份集還原的資料檔案
通道 ORA_DISK_1: 將資料檔案 00007 還原到 /u01/app/oracle/oradata/ORCL/users01.dbf
通道 ORA_DISK_1: 正在讀取備份片段 /tmp/test/user_ORCL_73
通道 ORA_DISK_1: 片段控制代碼 = /tmp/test/user_ORCL_73 標記 = TAG20220511T210214
通道 ORA_DISK_1: 已還原備份片段 1
通道 ORA_DISK_1: 還原完成, 用時: 00:00:01
在 11-5月 -22 完成了 restore
RMAN> recover tablespace users;
RMAN> alter database open;