4.3.10 加密备份
为了确保备份的安全性和隐私性,可以按以下3种方式之一加密它们:透明加密、密码加密或双模式加密。默认情况下,会关闭加密功能。
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
下面几节中将介绍如何启用每种加密类型。
1.使用透明加密
使用如下的CONFIGURE命令,将透明加密(基于钱包的加密)作为默认的RMAN加密方法:
RMAN> configure encryption for database on;
starting full resync of recovery catalog
full resync complete
new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored
starting full resync of recovery catalog
full resync complete
RMAN>
注意,也必须打开数据库钱包。如果钱包尚未打开,在加密过程开始前一切都看似正常。请查看下面输出中的备份故障错误消息:
RMAN> backup as compressed backupset tablespace users;
Starting backup at 25-MAY-14
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=106 device type=DISK
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00004 name=+DATA/RPT12C/datafile/
users.259.632441707
channel ORA_DISK_1: starting piece 1 at 25-MAY-14
RMAN-00571: ===================================================
RMAN-00569: ============ ERROR MESSAGE STACK FOLLOWS ==========
RMAN-00571: ===================================================
RMAN-03009: failure of backup command on
ORA_DISK_1 channel at 05/25/2014 20:04:31
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open
RMAN>
在SQL>提示符处打开钱包,以便更加顺利地运行:
SQL> alter system set encryption wallet open
2 identified by "fre#3dXX0";
System altered.
SQL>
.
RMAN> backup as compressed backupset tablespace users;
Starting backup at 25-MAY-14
using channel ORA_DISK_1
. . .
channel ORA_DISK_1: starting piece 1 at 25-MAY-14
channel ORA_DISK_1: finished piece 1 at 25-MAY-14
piece handle=+RECOV/dw/backupset/2014_05_25/
nnndf0_tag20080509t201659_0.550.654293845 tag=TAG20080509T201659
comment=NONE
channel ORA_DISK_1: backupset complete, elapsed time: 00:00:16
Finished backup at 25-MAY-14
RMAN>
即使透明加密不是默认加密方法,也可以在单次备份期间将其打开。如上例所示,必须打开数据库钱包。见下例:
RMAN> set encryption on;
executing command: SET encryption
RMAN> backup as compressed backupset tablespace users;
Starting backup at 25-MAY-14
using channel ORA_DISK_1
. . .
channel ORA_DISK_1: backupset complete, elapsed time: 00:00:09
Finished backup at 25-MAY-14
RMAN> set encryption off;
executing command: SET encryption
RMAN>
要使用加密备份进行还原或恢复,必须打开数据库钱包,而且在执行恢复操作前,要么启用加密默认设置,要么使用SET ENCRYPTION ON。
2.使用密码加密
要为特定备份启用密码加密,请使用SET ENCRYPTION命令,如下所示:
RMAN> set encryption identified by "F45$Xa98";
executing command: SET encryption
RMAN> backup as compressed backupset tablespace users;
. . .
提示:
由于密码可能丢失、忘记或被人轻易截获,密码加密自然不如透明加密(钱包加密)那样可靠和安全。只应在必须将备份传输到不同数据库时使用密码加密。
在还原此备份时,不管是还原到同一个数据库(如果关闭了基于钱包的加密)还是不同的数据库,都必须使用SET DECRYPTION对密码进行解密:
RMAN> set decryption identified by "F45$Xa98";
executing command: SET decryption
RMAN>
如果基于使用不同密码的备份恢复一个或多个表空间(或整个数据库),则可以使用SET DECRYPTION一次性指定所有密码,这种做法十分方便:
RMAN> set decryption identified by "F45$Xa98", "XX407$9! @";
executing command: SET decryption
RMAN>
对于每个加密备份,RMAN将尝试使用每个密码,直至找到匹配项为止。只有任何密码都与任何备份中的任何密码不匹配时,RMAN才会终止并显示错误消息。
3.使用双模式加密
可以同时使用透明加密和密码加密。如果使用备份在同一个数据库中执行还原和恢复,而且有时使用备份恢复另一个数据库,这是一种有用的做法。如果两种方法都有效,则可以使用密码或数据库钱包来还原备份。恢复到远程数据库时,必须在恢复前指定密码,如下所示:
RMAN> set encryption on;
executing command: SET encryption
RMAN> set encryption identified by "F45$Xa98";
executing command: SET encryption
RMAN>
如果仅为备份使用基于密码的加密,请为SET ENCRYPTION添加ONLY子句:
RMAN> set encryption identified by "F45$Xa98" only;
结果,即使ENCRYPTION的默认设置为ON(因此会使用钱包加密方法),所有后续备份也仅使用密码加密,这种情况一直持续到关闭密码加密或完全退出RMAN时为止。