- OCP认证考试指南(1ZO-063) Oracle Database 12c高级管理
- Bob Bryla
- 1132字
- 2021-03-26 13:18:08
4.3.10 加密备份
为了确保备份的安全性和隐私性,可以按以下3种方式之一加密它们:透明加密、密码加密或双模式加密。默认情况下,会关闭加密功能。
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
下面几节中将介绍如何启用每种加密类型。
1.使用透明加密
使用如下的CONFIGURE命令,将透明加密(基于钱包的加密)作为默认的RMAN加密方法:
RMAN> configure encryption for database on; starting full resync of recovery catalog full resync complete new RMAN configuration parameters: CONFIGURE ENCRYPTION FOR DATABASE ON; new RMAN configuration parameters are successfully stored starting full resync of recovery catalog full resync complete RMAN>
注意,也必须打开数据库钱包。如果钱包尚未打开,在加密过程开始前一切都看似正常。请查看下面输出中的备份故障错误消息:
RMAN> backup as compressed backupset tablespace users; Starting backup at 25-MAY-14
allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=106 device type=DISK channel ORA_DISK_1: starting compressed full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set input datafile file number=00004 name=+DATA/RPT12C/datafile/ users.259.632441707 channel ORA_DISK_1: starting piece 1 at 25-MAY-14 RMAN-00571: =================================================== RMAN-00569: ============ ERROR MESSAGE STACK FOLLOWS ========== RMAN-00571: =================================================== RMAN-03009: failure of backup command on ORA_DISK_1 channel at 05/25/2014 20:04:31 ORA-19914: unable to encrypt backup ORA-28365: wallet is not open RMAN>
在SQL>提示符处打开钱包,以便更加顺利地运行:
SQL> alter system set encryption wallet open 2 identified by "fre#3dXX0"; System altered. SQL> . RMAN> backup as compressed backupset tablespace users; Starting backup at 25-MAY-14 using channel ORA_DISK_1 . . . channel ORA_DISK_1: starting piece 1 at 25-MAY-14 channel ORA_DISK_1: finished piece 1 at 25-MAY-14 piece handle=+RECOV/dw/backupset/2014_05_25/ nnndf0_tag20080509t201659_0.550.654293845 tag=TAG20080509T201659 comment=NONE channel ORA_DISK_1: backupset complete, elapsed time: 00:00:16 Finished backup at 25-MAY-14 RMAN>
即使透明加密不是默认加密方法,也可以在单次备份期间将其打开。如上例所示,必须打开数据库钱包。见下例:
RMAN> set encryption on; executing command: SET encryption RMAN> backup as compressed backupset tablespace users; Starting backup at 25-MAY-14 using channel ORA_DISK_1 . . . channel ORA_DISK_1: backupset complete, elapsed time: 00:00:09
Finished backup at 25-MAY-14 RMAN> set encryption off; executing command: SET encryption RMAN>
要使用加密备份进行还原或恢复,必须打开数据库钱包,而且在执行恢复操作前,要么启用加密默认设置,要么使用SET ENCRYPTION ON。
2.使用密码加密
要为特定备份启用密码加密,请使用SET ENCRYPTION命令,如下所示:
RMAN> set encryption identified by "F45$Xa98"; executing command: SET encryption RMAN> backup as compressed backupset tablespace users; . . .
提示:
由于密码可能丢失、忘记或被人轻易截获,密码加密自然不如透明加密(钱包加密)那样可靠和安全。只应在必须将备份传输到不同数据库时使用密码加密。
在还原此备份时,不管是还原到同一个数据库(如果关闭了基于钱包的加密)还是不同的数据库,都必须使用SET DECRYPTION对密码进行解密:
RMAN> set decryption identified by "F45$Xa98"; executing command: SET decryption RMAN>
如果基于使用不同密码的备份恢复一个或多个表空间(或整个数据库),则可以使用SET DECRYPTION一次性指定所有密码,这种做法十分方便:
RMAN> set decryption identified by "F45$Xa98", "XX407$9! @"; executing command: SET decryption RMAN>
对于每个加密备份,RMAN将尝试使用每个密码,直至找到匹配项为止。只有任何密码都与任何备份中的任何密码不匹配时,RMAN才会终止并显示错误消息。
3.使用双模式加密
可以同时使用透明加密和密码加密。如果使用备份在同一个数据库中执行还原和恢复,而且有时使用备份恢复另一个数据库,这是一种有用的做法。如果两种方法都有效,则可以使用密码或数据库钱包来还原备份。恢复到远程数据库时,必须在恢复前指定密码,如下所示:
RMAN> set encryption on; executing command: SET encryption RMAN> set encryption identified by "F45$Xa98"; executing command: SET encryption RMAN>
如果仅为备份使用基于密码的加密,请为SET ENCRYPTION添加ONLY子句:
RMAN> set encryption identified by "F45$Xa98" only;
结果,即使ENCRYPTION的默认设置为ON(因此会使用钱包加密方法),所有后续备份也仅使用密码加密,这种情况一直持续到关闭密码加密或完全退出RMAN时为止。