4.3.10 加密备份

为了确保备份的安全性和隐私性,可以按以下3种方式之一加密它们:透明加密、密码加密或双模式加密。默认情况下,会关闭加密功能。

        CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
        CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

下面几节中将介绍如何启用每种加密类型。

1.使用透明加密

使用如下的CONFIGURE命令,将透明加密(基于钱包的加密)作为默认的RMAN加密方法:

        RMAN> configure encryption for database on;

        starting full resync of recovery catalog
        full resync complete
        new RMAN configuration parameters:
        CONFIGURE ENCRYPTION FOR DATABASE ON;
        new RMAN configuration parameters are successfully stored
        starting full resync of recovery catalog
        full resync complete
        RMAN>

注意,也必须打开数据库钱包。如果钱包尚未打开,在加密过程开始前一切都看似正常。请查看下面输出中的备份故障错误消息:

        RMAN> backup as compressed backupset tablespace users;

        Starting backup at 25-MAY-14
        allocated channel: ORA_DISK_1
        channel ORA_DISK_1: SID=106 device type=DISK
        channel ORA_DISK_1: starting compressed full datafile backup set
        channel ORA_DISK_1: specifying datafile(s) in backup set
        input datafile file number=00004 name=+DATA/RPT12C/datafile/
              users.259.632441707
        channel ORA_DISK_1: starting piece 1 at 25-MAY-14
        RMAN-00571: ===================================================
        RMAN-00569: ============ ERROR MESSAGE STACK FOLLOWS ==========
        RMAN-00571: ===================================================
        RMAN-03009: failure of backup command on
        ORA_DISK_1 channel at 05/25/2014 20:04:31
        ORA-19914: unable to encrypt backup
        ORA-28365: wallet is not open

        RMAN>

在SQL>提示符处打开钱包,以便更加顺利地运行:

        SQL> alter system set encryption wallet open
          2    identified by "fre#3dXX0";

        System altered.

        SQL>
            .
        RMAN> backup as compressed backupset tablespace users;

        Starting backup at 25-MAY-14
        using channel ORA_DISK_1
        . . .
        channel ORA_DISK_1: starting piece 1 at 25-MAY-14
        channel ORA_DISK_1: finished piece 1 at 25-MAY-14
        piece handle=+RECOV/dw/backupset/2014_05_25/
              nnndf0_tag20080509t201659_0.550.654293845 tag=TAG20080509T201659
              comment=NONE
        channel ORA_DISK_1: backupset complete, elapsed time: 00:00:16
        Finished backup at 25-MAY-14

        RMAN>

即使透明加密不是默认加密方法,也可以在单次备份期间将其打开。如上例所示,必须打开数据库钱包。见下例:

        RMAN> set encryption on;
        executing command: SET encryption
        RMAN> backup as compressed backupset tablespace users;

        Starting backup at 25-MAY-14
        using channel ORA_DISK_1
        . . .
        channel ORA_DISK_1: backupset complete, elapsed time: 00:00:09
        Finished backup at 25-MAY-14

        RMAN> set encryption off;
        executing command: SET encryption
        RMAN>

要使用加密备份进行还原或恢复,必须打开数据库钱包,而且在执行恢复操作前,要么启用加密默认设置,要么使用SET ENCRYPTION ON。

2.使用密码加密

要为特定备份启用密码加密,请使用SET ENCRYPTION命令,如下所示:

        RMAN> set encryption identified by "F45$Xa98";

        executing command: SET encryption

        RMAN> backup as compressed backupset tablespace users;
        . . .

提示:

由于密码可能丢失、忘记或被人轻易截获,密码加密自然不如透明加密(钱包加密)那样可靠和安全。只应在必须将备份传输到不同数据库时使用密码加密。

在还原此备份时,不管是还原到同一个数据库(如果关闭了基于钱包的加密)还是不同的数据库,都必须使用SET DECRYPTION对密码进行解密:

        RMAN> set decryption identified by "F45$Xa98";
        executing command: SET decryption
        RMAN>

如果基于使用不同密码的备份恢复一个或多个表空间(或整个数据库),则可以使用SET DECRYPTION一次性指定所有密码,这种做法十分方便:

        RMAN> set decryption identified by "F45$Xa98", "XX407$9! @";

        executing command: SET decryption

        RMAN>

对于每个加密备份,RMAN将尝试使用每个密码,直至找到匹配项为止。只有任何密码都与任何备份中的任何密码不匹配时,RMAN才会终止并显示错误消息。

3.使用双模式加密

可以同时使用透明加密和密码加密。如果使用备份在同一个数据库中执行还原和恢复,而且有时使用备份恢复另一个数据库,这是一种有用的做法。如果两种方法都有效,则可以使用密码或数据库钱包来还原备份。恢复到远程数据库时,必须在恢复前指定密码,如下所示:

        RMAN> set encryption on;

        executing command: SET encryption

        RMAN> set encryption identified by "F45$Xa98";

        executing command: SET encryption

        RMAN>

如果仅为备份使用基于密码的加密,请为SET ENCRYPTION添加ONLY子句:

        RMAN> set encryption identified by "F45$Xa98" only;

结果,即使ENCRYPTION的默认设置为ON(因此会使用钱包加密方法),所有后续备份也仅使用密码加密,这种情况一直持续到关闭密码加密或完全退出RMAN时为止。