数据的安全越来越重要,不是说你的生产库安全,你的数据就一定安全了,rman备份也是泄露数据的一个重要地方,如果别人拿到了你的备份集,一样等同入侵了你的生产库。为了rman备份的安全,最简单方式就是使用set encryption方式在rman备份过程中设置密码,需要版本为10.2及其以后企业版版,另外如果需要备份到带库只能使用oracle自己的osb(Oracle Secure Backup),注意rman只有backupset可以加密,copy无法进行加密
数据库版本
SQL>
select
*
from
v$version;
BANNER
--------------------------------------------------------------------------------
Oracle
Database
11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS
for
Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> show parameter compatible
NAME
TYPE VALUE
------------------------------------ ----------- ------------------------------
compatible string 11.2.0.4.0
|
支持rman加密算法
SQL>
select
ALGORITHM_NAME
2
from
V$RMAN_ENCRYPTION_ALGORITHMS;
ALGORITHM_NAME
----------------------------------------------------------------
AES128
AES192
AES256
|
调整加密算法
RMAN> show ENCRYPTION ALGORITHM;
RMAN configuration parameters
for
database
with
db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM
'AES128'
; #
default
RMAN> CONFIGURE ENCRYPTION ALGORITHM
'AES256'
;
new RMAN configuration parameters:
CONFIGURE ENCRYPTION ALGORITHM
'AES256'
;
new RMAN configuration parameters are successfully stored
RMAN> show ENCRYPTION ALGORITHM;
using target
database
control file
instead
of
recovery catalog
RMAN configuration parameters
for
database
with
db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM
'AES256'
;
|
创建新测试数据文件
我们这里测试的是对新创建的5号文件进行加密备份和还原
SQL>
select
name
from
v$datafile;
NAME
--------------------------------------------------------------------------------
/u01/app/oracle/oradata/orcl/system01.dbf
/u01/app/oracle/oradata/orcl/sysaux01.dbf
/u01/app/oracle/oradata/orcl/undotbs01.dbf
/u01/app/oracle/oradata/orcl/users01.dbf
SQL>
create
tablespace rman_xifenfei datafile
2
'/u01/app/oracle/oradata/orcl/xifenfei01.dbf'
size
100M;
Tablespace created.
SQL>
select
file#,
name
from
v$datafile;
FILE#
NAME
---------- --------------------------------------------------
1 /u01/app/oracle/oradata/orcl/system01.dbf
2 /u01/app/oracle/oradata/orcl/sysaux01.dbf
3 /u01/app/oracle/oradata/orcl/undotbs01.dbf
4 /u01/app/oracle/oradata/orcl/users01.dbf
5 /u01/app/oracle/oradata/orcl/xifenfei01.dbf
SQL>
create
table
chf.t_xifenfei tablespace rman_xifenfei
2
as
select
*
from
dba_objects;
Table
created.
SQL>
select
count
(*)
from
chf.t_xifenfei;
COUNT
(*)
----------
86721
|
rman加密备份
RMAN>
set
encryption on identified by
'www.xifenfei.com'
only;
executing
command
: SET encryption
RMAN> backup datafile 5;
Starting backup at 28-JAN-15
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=5 device
type
=DISK
channel ORA_DISK_1: starting full datafile backup
set
channel ORA_DISK_1: specifying datafile(s)
in
backup
set
input datafile
file
number=00005 name=
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
channel ORA_DISK_1: starting piece 1 at 28-JAN-15
channel ORA_DISK_1: finished piece 1 at 28-JAN-15
piece handle=
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp tag=TAG20150128T230115 comment=NONE
channel ORA_DISK_1: backup
set
complete, elapsed
time
: 00:00:01
Finished backup at 28-JAN-15
|
准备恢复测试
RMAN> sql
'alter database datafile 5 offline'
;
sql statement: alter database datafile 5 offline
[oracle@localhost ~]$
rm
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
[oracle@localhost ~]$
ls
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
ls
:
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf: No such
file
or directory
|
rman恢复测试
[oracle@localhost ~]$ rman target /
Recovery Manager: Release 11.2.0.4.0 - Production on Wed Jan 28 23:02:24 2015
Copyright (c) 1982, 2011, Oracle and
/or
its affiliates. All rights reserved.
connected to target database: ORCL (DBID=1378620768)
RMAN> list backup of datafile 5;
using target database control
file
instead of recovery catalog
List of Backup Sets
===================
BS Key Type LV Size Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ ---------------
1 Full 10.94M DISK 00:00:01 28-JAN-15
BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20150128T230115
Piece Name:
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
List of Datafiles
in
backup
set
1
File LV Type Ckp SCN Ckp Time Name
---- -- ---- ---------- --------- ----
5 Full 54057180 28-JAN-15
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
--未输入密码
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=492 device
type
=DISK
channel ORA_DISK_1: starting datafile backup
set
restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup
set
channel ORA_DISK_1: restoring datafile 00005 to
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
channel ORA_DISK_1: reading from backup piece
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore
command
at 01
/28/2015
23:02:52
ORA-19870: error
while
restoring backup piece
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not
open
--设置错误密码
RMAN> SET DECRYPTION IDENTIFIED BY
'www.orasos.com'
;
executing
command
: SET decryption
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup
set
restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup
set
channel ORA_DISK_1: restoring datafile 00005 to
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
channel ORA_DISK_1: reading from backup piece
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore
command
at 01
/28/2015
23:03:31
ORA-19870: error
while
restoring backup piece
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not
open
--设置正确密码
RMAN> SET DECRYPTION IDENTIFIED BY
'www.xifenfei.com'
;
executing
command
: SET decryption
RMAN> restore datafile 5;
Starting restore at 28-JAN-15
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup
set
restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup
set
channel ORA_DISK_1: restoring datafile 00005 to
/u01/app/oracle/oradata/orcl/xifenfei01
.dbf
channel ORA_DISK_1: reading from backup piece
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp
channel ORA_DISK_1: piece handle=
/u01/2015_01_28/o1_mf_nnndf_TAG20150128T230115_bdkyfvlw_
.bkp tag=TAG20150128T230115
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed
time
: 00:00:01
Finished restore at 28-JAN-15
|
验证数据还原
RMAN> recover datafile 5;
Starting recover at 28-JAN-15
using target database control
file
instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=7 device
type
=DISK
starting media recovery
media recovery complete, elapsed
time
: 00:00:00
Finished recover at 28-JAN-15
RMAN> sql
'alter database datafile 5 online'
;
sql statement: alter database datafile 5 online
RMAN>
exit
Recovery Manager complete.
[oracle@localhost ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Wed Jan 28 23:05:55 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>
select
count(*) from chf.t_xifenfei;
COUNT(*)
----------
86721
|
至此我们可以看到,最简单的rman加密备份和加密恢复测试完成,在使用set encryption加密后,如果不输入或者错误的输入密码无法使用备份集,从而确保了备份集的安全.
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
