数据的安全越来越重要,不是说你的生产库安全,你的数据就一定安全了,rman备份也是泄露数据的一个重要地方,如果别人拿到了你的备份集,一样等同入侵了你的生产库。为了rman备份的安全,最简单方式就是使用set encryption方式在rman备份过程中设置密码,需要版本为10.2及其以后企业版版,另外如果需要备份到带库只能使用oracle自己的osb(Oracle Secure Backup),注意rman只有backupset可以加密,copy无法进行加密
数据库版本
SQL>
select
* from
v$version; BANNER -------------------------------------------------------------------------------- Oracle
Database
11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production PL/SQL
Release 11.2.0.4.0 - Production CORE
11.2.0.4.0 Production TNS
for
Linux: Version 11.2.0.4.0 - Production NLSRTL
Version 11.2.0.4.0 - Production SQL>
show parameter compatible NAME
TYPE VALUE ------------------------------------
----------- ------------------------------ compatible
string 11.2.0.4.0 |
支持rman加密算法
SQL>
select
ALGORITHM_NAME 2
from
V$RMAN_ENCRYPTION_ALGORITHMS; ALGORITHM_NAME ---------------------------------------------------------------- AES128 AES192 AES256 |
调整加密算法
RMAN>
show ENCRYPTION ALGORITHM; RMAN
configuration parameters for
database
with
db_unique_name ORCL are: CONFIGURE
ENCRYPTION ALGORITHM 'AES128' ;
# default RMAN>
CONFIGURE ENCRYPTION ALGORITHM 'AES256' ; new
RMAN configuration parameters: CONFIGURE
ENCRYPTION ALGORITHM 'AES256' ; new
RMAN configuration parameters are successfully stored RMAN>
show ENCRYPTION ALGORITHM; using
target database
control file instead
of
recovery catalog RMAN
configuration parameters for
database
with
db_unique_name ORCL are: CONFIGURE
ENCRYPTION ALGORITHM 'AES256' ; |
创建新测试数据文件
我们这里测试的是对新创建的5号文件进行加密备份和还原
SQL>
select
name
from
v$datafile; NAME -------------------------------------------------------------------------------- /u01/app/oracle/oradata/orcl/system01.dbf /u01/app/oracle/oradata/orcl/sysaux01.dbf /u01/app/oracle/oradata/orcl/undotbs01.dbf /u01/app/oracle/oradata/orcl/users01.dbf SQL>
create
tablespace rman_xifenfei datafile 2
'/u01/app/oracle/oradata/orcl/xifenfei01.dbf'
size
100M; Tablespace
created. SQL>
select
file#, name
from
v$datafile; FILE#
NAME ----------
-------------------------------------------------- 1
/u01/app/oracle/oradata/orcl/system01.dbf 2
/u01/app/oracle/oradata/orcl/sysaux01.dbf 3
/u01/app/oracle/oradata/orcl/undotbs01.dbf 4
/u01/app/oracle/oradata/orcl/users01.dbf 5
/u01/app/oracle/oradata/orcl/xifenfei01.dbf SQL>
create
table
chf.t_xifenfei tablespace rman_xifenfei 2
as
select
* from
dba_objects; Table
created. SQL>
select
count (*)
from
chf.t_xifenfei; COUNT (*) ---------- 86721 |
rman加密备份
RMAN>
set
encryption on identified by 'www.xifenfei.com'
only; executing
command :
SET encryption RMAN>
backup datafile 5; Starting
backup at 28-JAN-15 allocated
channel: ORA_DISK_1 channel
ORA_DISK_1: SID=5 device type =DISK channel
ORA_DISK_1: starting full datafile backup set channel
ORA_DISK_1: specifying datafile(s) in
backup set input
datafile file
number=00005 name= /u01/app/oracle/oradata/orcl/xifenfei01 .dbf channel
ORA_DISK_1: starting piece 1 at 28-JAN-15 channel
ORA_DISK_1: finished piece 1 at 28-JAN-15 piece
handle= /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp
tag=TAG20150128T230115 comment=NONE channel
ORA_DISK_1: backup set
complete, elapsed time :
00:00:01 Finished
backup at 28-JAN-15 |
准备恢复测试
RMAN>
sql 'alter
database datafile 5 offline' ; sql
statement: alter database datafile 5 offline [oracle@localhost
~]$ rm
/u01/app/oracle/oradata/orcl/xifenfei01 .dbf [oracle@localhost
~]$ ls
/u01/app/oracle/oradata/orcl/xifenfei01 .dbf ls :
/u01/app/oracle/oradata/orcl/xifenfei01 .dbf:
No such file
or directory |
rman恢复测试
[oracle@localhost
~]$ rman target / Recovery
Manager: Release 11.2.0.4.0 - Production on Wed Jan 28 23:02:24 2015 Copyright
(c) 1982, 2011, Oracle and /or
its affiliates. All rights reserved. connected
to target database: ORCL (DBID=1378620768) RMAN>
list backup of datafile 5; using
target database control file
instead of recovery catalog List
of Backup Sets =================== BS
Key Type LV Size Device Type Elapsed Time Completion Time -------
---- -- ---------- ----------- ------------ --------------- 1
Full 10.94M DISK 00:00:01 28-JAN-15 BP
Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20150128T230115 Piece
Name: /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp List
of Datafiles in
backup set
1 File
LV Type Ckp SCN Ckp Time Name ----
-- ---- ---------- --------- ---- 5
Full 54057180 28-JAN-15 /u01/app/oracle/oradata/orcl/xifenfei01 .dbf --未输入密码 RMAN>
restore datafile 5; Starting
restore at 28-JAN-15 allocated
channel: ORA_DISK_1 channel
ORA_DISK_1: SID=492 device type =DISK channel
ORA_DISK_1: starting datafile backup set
restore channel
ORA_DISK_1: specifying datafile(s) to restore from backup set channel
ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01 .dbf channel
ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp RMAN-00571:
=========================================================== RMAN-00569:
=============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571:
=========================================================== RMAN-03002:
failure of restore command
at 01 /28/2015
23:02:52 ORA-19870:
error while
restoring backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp ORA-19913:
unable to decrypt backup ORA-28365:
wallet is not open --设置错误密码 RMAN>
SET DECRYPTION IDENTIFIED BY 'www.orasos.com' ; executing
command :
SET decryption RMAN>
restore datafile 5; Starting
restore at 28-JAN-15 using
channel ORA_DISK_1 channel
ORA_DISK_1: starting datafile backup set
restore channel
ORA_DISK_1: specifying datafile(s) to restore from backup set channel
ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01 .dbf channel
ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp RMAN-00571:
=========================================================== RMAN-00569:
=============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571:
=========================================================== RMAN-03002:
failure of restore command
at 01 /28/2015
23:03:31 ORA-19870:
error while
restoring backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp ORA-19913:
unable to decrypt backup ORA-28365:
wallet is not open --设置正确密码 RMAN>
SET DECRYPTION IDENTIFIED BY 'www.xifenfei.com' ; executing
command :
SET decryption RMAN>
restore datafile 5; Starting
restore at 28-JAN-15 using
channel ORA_DISK_1 channel
ORA_DISK_1: starting datafile backup set
restore channel
ORA_DISK_1: specifying datafile(s) to restore from backup set channel
ORA_DISK_1: restoring datafile 00005 to /u01/app/oracle/oradata/orcl/xifenfei01 .dbf channel
ORA_DISK_1: reading from backup piece /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp channel
ORA_DISK_1: piece handle= /u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_ .bkp
tag=TAG20150128T230115 channel
ORA_DISK_1: restored backup piece 1 channel
ORA_DISK_1: restore complete, elapsed time :
00:00:01 Finished
restore at 28-JAN-15 |
验证数据还原
RMAN>
recover datafile 5; Starting
recover at 28-JAN-15 using
target database control file
instead of recovery catalog allocated
channel: ORA_DISK_1 channel
ORA_DISK_1: SID=7 device type =DISK starting
media recovery media
recovery complete, elapsed time :
00:00:00 Finished
recover at 28-JAN-15 RMAN>
sql 'alter
database datafile 5 online' ; sql
statement: alter database datafile 5 online RMAN>
exit Recovery
Manager complete. [oracle@localhost
~]$ sqlplus / as sysdba SQL*Plus:
Release 11.2.0.4.0 Production on Wed Jan 28 23:05:55 2015 Copyright
(c) 1982, 2013, Oracle. All rights reserved. Connected
to: Oracle
Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production With
the Partitioning, OLAP, Data Mining and Real Application Testing options SQL>
select
count(*) from chf.t_xifenfei; COUNT(*) ---------- 86721 |
至此我们可以看到,最简单的rman加密备份和加密恢复测试完成,在使用set encryption加密后,如果不输入或者错误的输入密码无法使用备份集,从而确保了备份集的安全.