RMAN加密方式
一、rman备份加密概述
为了保证备份集的安全,oracle提供了rman加密技术
(1)利用configure启用加密模式
RMAN> configure encryption for database on;
禁止加密模式
RMAN> configure encryption for database off;
configure不仅能指定到database级,还可以指定到tablespace级
RMAN> configure encryption for tablespace users on;
(2)使用set encryption 方式设置(此种方式非常灵活)
RMAN> set encryption on identified by oracle only; ---oracle是密码
executing command: SET encryption
启动rman后,用show all命令可以看到与备份加密有关的配置:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
(3)修改加密算法
RMAN支持的加密算法可以通过如下视图看到:V$RMAN_ENCRYPTION_ALGORITHMS;
1)查看RMAN支持的加密算法
SQL> select ALGORITHM_NAME from V$RMAN_ENCRYPTION_ALGORITHMS;
ALGORITHM_NAME
----------------------------------------------------------------
AES128
AES192
AES256
2)设置加密算法
RMAN> configure encryption algorithm 'AES192';
二、rman有三种加密模式
1.透明(Transparent)模式
默认的加密方式,比较适合于同一服务器进行的备份和恢复,换台服务器就无法识别了,因为缺少必备的密钥。
这种方法不需要设置密码,很适合在本地的备份与恢复,如果备份不需要传到其他的机器上,建议采用这样的加密方法。因为不需要密码,只需要配置加密/解密信任书,也就是Oracle Encryption Wallet.
钱夹默认的位置是:$ORACLE_BASE/admin/oraSID/wallet,该目录需要手工创建
Sqlnet.ora 指定:ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/home/SEED/db/11.2.0/admin/SEED_ebstestapp02/wallet)))
实验:
(1)配置sqlnet.ora,设置加密方式与文件地址
[oracle@hxy ~]$ cd $ORACLE_BASE/admin/SEED_ebstestapp02
[oracle@hxy orcl]$ ll | grep wallet
[oracle@hxy orcl]$ mkdir wallet
[oracle@hxy orcl]$ cd wallet/
(2)创建wallet,包括设置密码、生成信任文件、并启动wallet
[oracle@hxy wallet]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Apr 8 20:25:58 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SYS@orcl>alter system set encryption key identified by oracle; //设置完后默认钱夹是打开的
System altered.
SYS@orcl>exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
[oracle@hxy wallet]$ ll
total 4
-rw------- 1 oracle oinstall 1309 Apr 8 20:28 ewallet.p12
(3)然后可以用如下的方式打开或关闭wallet,需要注意的是,以上的命令完成以后,wallet就自动启动了,不需要在启动。
SQL> alter system set wallet open identified by "oracle";
SQL> alter system set encryption wallet close; //关闭钱夹
在采用这种方式备份前,确保wallet是open的.
RMAN> configure encryption for database on;
RMAN> list backup;
RMAN> show all;
RMAN configuration parameters are:
CONFIGURE RETENTION POLICY TO REDUNDANCY 1;
CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default
CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default
CONFIGURE MAXSETSIZE TO UNLIMITED; # default
CONFIGURE ENCRYPTION FOR DATABASE OFF;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
CONFIGURE ENCRYPTION FOR TABLESPACE 'USERS' OFF;
CONFIGURE SNAPSHOT CONTROLFILE NAME TO '/opt/oracle/product/10.2.0/dbs/snapcf_orcl.f'; # default
RMAN> configure encryption for database on;
old RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE OFF;
new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored
RMAN> show all;
RMAN configuration parameters are:
CONFIGURE RETENTION POLICY TO REDUNDANCY 1;
CONFIGURE MAXSETSIZE TO UNLIMITED; # default
CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
CONFIGURE ENCRYPTION FOR TABLESPACE 'USERS' OFF;
CONFIGURE SNAPSHOT CONTROLFILE NAME TO '/opt/oracle/product/10.2.0/dbs/snapcf_orcl.f'; # default
RMAN> set encryption on;
executing command: SET encryption
(4)备份一号文件
RMAN> backup datafile 1;
Starting backup at 08-APR-14
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=157 devtype=DISK
channel ORA_DISK_1: starting full datafile backupset
channel ORA_DISK_1: specifying datafile(s) in backupset
input datafile fno=00001 name=/opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: starting piece 1 at 08-APR-14
channel ORA_DISK_1: finished piece 1 at 08-APR-14
piece handle=/opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T203526_9n7v8gob_.bkp tag=TAG20140408T203526 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:35
Finished backup at 08-APR-14
Starting Control File and SPFILE Autobackup at 08-APR-14
piece handle=/opt/oracle/flash_recovery_area/ORCL/autobackup/2014_04_08/o1_mf_s_844374962_9n7v9lr2_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 08-APR-14
(5)模拟一号文件丢失
[oracle@hxy ~]$ cd $ORACLE_BASE/oradata/SEED_ebstestapp02
[oracle@hxy orcl]$ mv system01.dbf system01.dbf.bak
[oracle@hxy orcl]$ ll | grep sys
-rw-r----- 1 oracle oinstall 251666432 Apr 8 20:36 sysaux01.dbf
-rw-r----- 1 oracle oinstall 503324672 Apr 8 20:35 system01.dbf.bak
(6)关闭数据库
[oracle@hxy orcl]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Apr 8 20:40:08 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SYS@orcl>shutdown immediate
ORA-01116: error in opening database file 1
ORA-01110: data file 1: '/opt/oracle/oradata/orcl/system01.dbf'
ORA-27041: unable to open file
Linux Error: 2: No such file or directory
Additional information: 3
SYS@orcl>shutdown abort;
ORACLE instance shut down.
SYS@orcl>exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
(7)进入rman执行恢复
[oracle@hxy orcl]$ rman target /
Recovery Manager: Release 10.2.0.1.0 - Production on Tue Apr 8 20:41:23 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
connected to target database (not started)
RMAN> startup mount;
Oracle instance started
database mounted
Total System Global Area 167772160 bytes
Fixed Size 1218316 bytes
Variable Size 79694068 bytes
Database Buffers 83886080 bytes
Redo Buffers 2973696 bytes
RMAN> restore datafile 1; //不开启,数据库重启后钱包需要手工打开,否则无法使用
Starting restore at 08-APR-14
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=157 devtype=DISK
channel ORA_DISK_1: starting datafile backupset restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
restoring datafile 00001 to /opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: reading from backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T203526_9n7v8gob_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 04/08/2014 20:42:02
ORA-19870: error reading backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T203526_9n7v8gob_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
RMAN> sql 'alter system set wallet open identified by oracle'; //数据库重启后钱包需要手工打开,否则无法使用
sql statement: alter system set wallet open identified by oracle
RMAN> restore datafile 1;
Starting restore at 08-APR-14
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backupset restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
restoring datafile 00001 to /opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: reading from backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T203526_9n7v8gob_.bkp
channel ORA_DISK_1: restored backup piece 1
piece handle=/opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T203526_9n7v8gob_.bkp tag=TAG20140408T203526
channel ORA_DISK_1: restore complete, elapsed time: 00:00:55
Finished restore at 08-APR-14
RMAN> recover datafile 1;
Starting recover at 08-APR-14
using channel ORA_DISK_1
starting media recovery
media recovery complete, elapsed time: 00:00:01
Finished recover at 08-APR-14
RMAN> sql 'alter database open';
sql statement: alter database open
RMAN> OK!
2.口令模式
在创建备份前设置密码,任何需要恢复的机器上执行恢复操作前指定密码即可
使用set encryption on identified by "password" only;开启
在恢复前使用解密:set decryption identified by 'password';
这是最简单的模式,备份的时候通过以下语句设置备份密码,然后备份数据库或对应的表空间、数据文件等。
RMAN> set encryption on identified by "mypass" only;
RMAN> backup database;
恢复的时候,则需要指定解密的密码才可:
RMAN> set decryption identified by "mypass";
RMAN> restore database;
实验验证:
(1)设置密码
RMAN> set encryption on identified by "oracle" only;
executing command: SET encryption
(2)备份1号system01文件
RMAN> backup datafile 1 ;
Starting backup at 08-APR-14
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backupset
channel ORA_DISK_1: specifying datafile(s) in backupset
input datafile fno=00001 name=/opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: starting piece 1 at 08-APR-14
channel ORA_DISK_1: finished piece 1 at 08-APR-14
piece handle=/opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T195508_9n7rwwwq_.bkp tag=TAG20140408T195508 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:56
Finished backup at 08-APR-14
Starting Control File and SPFILE Autobackup at 08-APR-14
piece handle=/opt/oracle/flash_recovery_area/ORCL/autobackup/2014_04_08/o1_mf_s_844372564_9n7ryp1p_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 08-APR-14
(3)模式故障,删除system01文件
[oracle@hxy ~]$ cd $ORACLE_BASE/oradata/orcl
[oracle@hxy orcl]$ mv system01.dbf system01.dbf.bak
[oracle@hxy orcl]$ ll | grep sys
-rw-r----- 1 oracle oinstall 251666432 Apr 8 19:56 sysaux01.dbf
-rw-r----- 1 oracle oinstall 503324672 Apr 8 19:55 system01.dbf.bak
(4)关闭数据库
[oracle@hxy orcl]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Apr 8 19:59:16 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SYS@orcl>shutdown immediate
ORA-01116: error in opening database file 1
ORA-01110: data file 1: '/opt/oracle/oradata/orcl/system01.dbf'
ORA-27041: unable to open file
Linux Error: 2: No such file or directory
Additional information: 3
上述错误表明数据库已经丢失system文件
强制关闭数据库
SYS@orcl>shutdown abort
ORACLE instance shut down.
(5)进入rman进行恢复
[oracle@hxy orcl]$ rman target /
Recovery Manager: Release 10.2.0.1.0 - Production on Tue Apr 8 20:02:50 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
connected to target database (not started)
RMAN> startup mount; //先启动到mount模式才能恢复数据文件
Oracle instance started
database mounted
Total System Global Area 167772160 bytes
Fixed Size 1218316 bytes
Variable Size 79694068 bytes
Database Buffers 83886080 bytes
Redo Buffers 2973696 bytes
RMAN> restore datafile 1; //不指定密码恢复1号数据文件看能不能恢复,会报错
Starting restore at 08-APR-14
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=157 devtype=DISK
channel ORA_DISK_1: starting datafile backupset restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
restoring datafile 00001 to /opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: reading from backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T195508_9n7rwwwq_.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 04/08/2014 20:03:14
ORA-19870: error reading backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T195508_9n7rwwwq_.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open
设置密码后再恢复
RMAN> set decryption identified by "oracle";
executing command: SET decryption
RMAN> restore datafile 1;
Starting restore at 08-APR-14
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backupset restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
restoring datafile 00001 to /opt/oracle/oradata/orcl/system01.dbf
channel ORA_DISK_1: reading from backup piece /opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T195508_9n7rwwwq_.bkp
channel ORA_DISK_1: restored backup piece 1
piece handle=/opt/oracle/flash_recovery_area/ORCL/backupset/2014_04_08/o1_mf_nnndf_TAG20140408T195508_9n7rwwwq_.bkp tag=TAG20140408T195508
channel ORA_DISK_1: restore complete, elapsed time: 00:00:35
Finished restore at 08-APR-14
顺利恢复
进行介质恢复
RMAN> startup mount;
Oracle instance started
database mounted
Total System Global Area 167772160 bytes
Fixed Size 1218316 bytes
Variable Size 79694068 bytes
Database Buffers 83886080 bytes
Redo Buffers 2973696 bytes
RMAN> recover datafile 1;
Starting recover at 08-APR-14
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=157 devtype=DISK
starting media recovery
media recovery complete, elapsed time: 00:00:01
Finished recover at 08-APR-14
(6)打开数据库
[oracle@hxy orcl]$ sqlplus / as sysdba
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Apr 8 20:09:32 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SYS@orcl>select status from v$instance;
STATUS
------------
MOUNTED
SYS@orcl>alter database open;
Database altered.
SYS@orcl>select status from v$instance;
STATUS
------------
OPEN
数据库成功打开!
3.双重混合(Dual-mode)模式
双重加密模式即同时支持上述两种方式。
使用双重加密模式(1)通过configure设置密码的同时,(2)还使用set encryption on identified by password;(没有了only)命令设置密码。如果在本机进行备份和恢复,可以按照透明模式进行,如果在其他机器上进行恢复,只要知道密码也可以操作。
因为在透明模式下,启动了Oracle Encryption Wallet,这样的备份是无法到别的机器上去恢复的。这个时候,可以通过设置加密的密码,如:
RMAN> set encryption on identified by "mypass";
对比密码方式,它仅仅是少了only这个关键字,这种情况下,如果在本地备份与恢复,是不需要密码的,如果是在异地恢复(如在别的机器上恢复该备份),只需要设置解密的密码即可。
RMAN> set decryption on identified by "mypass";
RMAN> restore database;