Oracle备份加密基础

rman加密

加密磁盘上的文件，需要使用高级安全选项
加密磁带上的文件，RMAN必须使用OSB

To create encrypted backups on disk, the database must use the Advanced Security Option.
To create encrypted backups directly on tape, RMAN must use the Oracle Secure Backup SBT interface, but does not require the Advanced Security Option.

12c中 sysbackup 管理角色覆盖了 备份backup和recovery恢复所需要的权限， 还包括连接到已关闭的数据库。
系统管理员可以将sysbackup而非sysdba赋予给那些只操作备份和恢复的用户，由此减少了SYSDBA这个超级用户权限过重的问题。与SYSDBA相反，SYSBACKUP不包含访问所有表的SELECT ANY TABLE权限。
--------------------------------------------------------------------
查看加密模式设置（为off代表没有在全局启用加密，但会话级可能启用了）

RMAN>show encryption for database;
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

查看加密算法设置

RMAN> show encryption algorithm;
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

查看可用加密算法
SQL> select ALGORITHM_NAME from  V$RMAN_ENCRYPTION_ALGORITHMS;

ALGORITHM_NAME
----------------------------------------------------------------
AES128
AES192
AES256

指定加密算法
CONFIGURE ENCRYPTION ALGORITHM 'AES256';

--------------------------------------------------------------------
开启/关闭加密设置：

configure方式设置（全局）

configure全库加密模式
RMAN> configure encryption for database on|off;

configure表空间加密模式
RMAN> configure encryption for tablespace users on;

set encryption方式设置（会话级）

[]内为可选，oracle是密码，带上only表示仅用口令加密

--全库
set encryption [identified by oracle] [only] on;
--所有表空间
SET ENCRYPTION [IDENTIFIED BY oracle] [ONLY] ON FOR ALL TABLESPACES;
--特定表空间
set encryption <tablespace_name> [identified by oracle] [only] on; 

--口令解密
set decryption identified by oracle;

--关闭 
set encryption off;

这种方式修改，RMAN配置参数不会变化（CONFIGURE ENCRYPTION FOR DATABASE依然为off）

RMAN> SET ENCRYPTION ON;
executing command: SET encryption

RMAN>  show encryption for database ;
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

原理：
If password encryption is detected, then RMAN searches for a matching key in the list of passwords entered in the SET DECRYPTION command. If RMAN finds a usable key, then the restore operation proceeds. Otherwise, RMAN searches for a key in the Oracle keystore. If RMAN finds a usable key, then the restore operation proceeds; otherwise, RMAN signals an error that the backup piece cannot be decrypted.

性能
Because encrypted backups consume more CPU resources than unencrypted backups, you can improve performance of encrypted backups to disk by using more RMAN channels. A general rule is to use the same number of channels as the number of CPU cores in your system. For example, use two channels for a dual-core processor.

---------------------------------------------------------------------------------------------------------
三种加密策略

一、口令加密
在加密解密过程中都需要交互式的密码输入，不需要启用wallet

步骤：
1.使用set encryption设置口令，一定要带上only
2.备份
3.set decryption 解密口令
4.还原

实验见《加密备份实验流程》
---------------------------------------------------------------------------
透明加密

Oracle 11g

1.创建wallet目录
mkdir -p /u01/app/oracle/admin/orcl/wallet

2.修改sqlnet.ora，添加

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
    (METHOD = FILE)
    (METHOD_DATA =
        (DIRECTORY = /u01/app/oracle/admin/orcl/wallet)
    )
)

2.创建wallet

下面指定的密码是用来打开wallet的
SQL> alter system set encryption key identified by "oracle";
System altered.

[oracle@ottawa3 admin]$ ls -ltr /u01/app/oracle/admin/ORCL/wallet
total 8
-rw-r--r-- 1 oracle oinstall 1573 Jan 11 14:51 ewallet.p12

set linesize 120
col wrl_parameter format a45
select * from v$encryption_wallet;

WRL_TYPE             WRL_PARAMETER                                 STATUS
-------------------- --------------------------------------------- ------------------
file                 /u01/app/oracle/admin/ORCL/wallet             OPEN

重启db之后wallet需要重新打开
alter system set encryption wallet open identified by "SuperSecret";

关闭wallet
SQL> alter system set encryption wallet close identified by "SuperSecret";
System altered. 

3)配置RMAN

CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # this is the default encryption algorithm, for other available algorithms refer to v$rman_encryption_algorithm

4.打开wallet进行备份
不打开会报错
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open

5.还原db（需要打开wallet）

============================================================
Oracle 12c cdb&pdb

12c在官方文档将wallet改称keystore，创建、打开、关闭命令也有相应修改

a new way to manage keystores, encryption keys and secrets using the ADMINISTER KEY MANAGEMENT command

This replaces the ALTER SYSTEM SET ENCRYPTION KEY and ALTER SYSTEM SET ENCRYPTION WALLET commands for key and wallet administration from previous releases

The database uses a new encryption key for every encrypted backup. The backup encryption key is then encrypted with either the password, the database master key, or both, depending on the chosen encryption mode. Individual backup encryption keys or passwords are never stored in clear text.

The multitenant architecture complicates key management somewhat, as the root container needs an open keystore with an active master encryption key. The CDBs keystore is used to store encryption keys for all the associated PDBs, but they each need their own master encryption key. The master encryption key for the PDB must be exported before an unplug operation, so it can be imported after a subsequent plugin operation.
 
A keystore must be created to hold the encryption key 

查找顺序：sqlnet.ora的ENCRYPTION_WALLET_LOCATION参数 -> sqlnet.ora的WALLET_LOCATION参数 -> $ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet -> $ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet
 
12c 创建 keystore
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/u01/app/oracle/admin/cdb1/encryption_keystore/' IDENTIFIED BY myPassword;

SET LINESIZE 200
COLUMN wrl_parameter FORMAT A50
SELECT * FROM v$encryption_wallet;

WRL_TYPE             WRL_PARAMETER                                      STATUS                         WALLET_TYPE          WALLET_OR FULLY_BAC     CON_ID
-------------------- -------------------------------------------------- ------------------------------ -------------------- --------- --------- ----------
FILE                 /u01/app/oracle/admin/cdb1/encryption_keystore/    OPEN                           PASSWORD             SINGLE    NO                 0

打开、关闭keystore需要在cdb中进行，如果省略CONTAINER=ALL，则只在当前容器生效
-- Open
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword CONTAINER=ALL;

-- Close
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY myPassword CONTAINER=ALL;

You need to create and activate a master key in the root container and one in each of the pluggable databases. Using the CONTAINER=ALL clause does it in a single step. If the CONTAINER=ALL clause is omitted, it will only be done in the current container and will need to be done again for each PDB individually. Information about the master key is displayed using the V$ENCRYPTION_KEYS view.
 
--设Master key
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP CONTAINER=ALL;

SET LINESIZE 100
SELECT con_id, key_id FROM v$encryption_keys;

    CON_ID KEY_ID
---------- ------------------------------------------------------------------------------
         0 AdaYAOior0/3v0AoZDBV8hoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         0 AYmKkQxl+U+Xv3UHVMgSJC8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Connect to the PDB. If you didn't create the key in the previous step, create a new master key for the PDB.
CONN sys@pdb1 AS SYSDBA

-- We don't need to create a master key as we did it previously by using CONTAINER=ALL
-- ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY myPassword;
-- ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY myPassword WITH BACKUP;

SELECT con_id, key_id FROM v$encryption_keys;

    CON_ID KEY_ID
---------- ------------------------------------------------------------------------------
         0 ATbrc0RkAE//v/jcxOecSGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Oracle Database Backup and Recovery User's Guide 11g Release 2 (11.2) 第10章 Backing Up the Database: Advanced Topics
Database Backup and Recovery User's Guide (12.1) 10 Backing Up the Database: Advanced Topics

https://blog.pythian.com/encryption-rman-backup/
http://www.dba-oracle.com/t_rman_35_encryption.htm

Multitenant : Transparent Data Encryption (TDE) in Pluggable Databases (PDBs) in Oracle Database 12c Release 1 (12.1)
https://oracle-base.com/articles/12c/multitenant-transparent-data-encryption-tde-12cr1

Transparent Data Encryption (TDE) in Oracle 10g Database Release 2
https://oracle-base.com/articles/10g/transparent-data-encryption-10gr2

Tablespace Encryption in Oracle 11g Database Release 1
https://oracle-base.com/articles/11g/tablespace-encryption-11gr1

http://oracle-help.com/articles/open-wallet-automatically-starting-database/

------------------------------------------------------------------------------------------
Oracle 安全备份 (OSB)

可靠、全面、集中式的磁带备份管理解决方案，为分布式混合数据平台环境下的异构数据提供保护
提供oracle安全备份云模块也可以将集成的oracle数据备份发往云存储

两类磁带管理版本——OSB和OSB Express

OSB是应用于RMAN上的介质管理层，它提供了SBT接口，rman可直接利用该接口将数据库备份到磁带，
也是唯一支持rman加密备份并将未使用块直接压缩到磁带的接口。

------------------------------------------------------------------------------------------