Para que este recurso seja utilizado, precisamos que o TDE (Transparent Data Encryption) esteja habilitado no banco de dados. Fizemos essa etapa NESTE artigo, e vamos explorar neste artigo as 2 maneiras de implementar o Transparent-encryption mode.
Password-based software Keystore
Neste método, o keystore é aberto manualmente pelo DBA para que a operação via RMAN seja possível. Veremos em breve que, sempre que o banco de dados é reiniciado, essa chave não é aberta automaticamente, exigindo assim que o DBA a abra para poder utilizar.
A respeito de parâmetros persistentes do RMAN, temos os 2 itens abaixo, referentes ao uso de criptografia e o algoritmo utilizado:
[oracle@oel8 admin]$ rman target /
Recovery Manager: Release 18.0.0.0.0 - Production on Fri Jun 25 05:26:07 2021
Version 18.13.0.0.0
Copyright (c) 1982, 2018, Oracle and/or its affiliates. All rights reserved.
connected to target database: RMANDB (DBID=3825250984)
RMAN> SHOW ENCRYPTION FOR DATABASE;
using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name RMANDB are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
RMAN> SHOW ENCRYPTION ALGORITHM;
RMAN configuration parameters for database with db_unique_name RMANDB are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default
Mas também podemos definir o uso de criptografia em tempo de execução, conforme o exemplo abaixo:
RMAN> SET ENCRYPTION ON;
executing command: SET encryption
RMAN> BACKUP TABLESPACE USERS TAG 'ENCRYPTED_USERS';
Starting backup at 2021-06-25:05:27:21
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=113 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oracle/dados/RMANDB/datafile/o1_mf_users_h8nyrkn7_.dbf
channel ORA_DISK_1: starting piece 1 at 2021-06-25:05:27:21
channel ORA_DISK_1: finished piece 1 at 2021-06-25:05:27:24
piece handle=/oracle/fra/RMANDB/backupset/2021_06_25/o1_mf_nnndf_ENCRYPTED_USERS_jfc4v9xl_.bkp tag=ENCRYPTED_USERS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:03
Finished backup at 2021-06-25:05:27:24
Starting Control File and SPFILE Autobackup at 2021-06-25:05:27:24
piece handle=/oracle/fra/RMANDB/autobackup/2021_06_25/o1_mf_s_1076131644_jfc4vfpf_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 2021-06-25:05:27:27
No comando LIST, não é possível identificar que o backup foi realizado com o recurso de criptografia:
RMAN> LIST BACKUPSET TAG 'ENCRYPTED_USERS';
List of Backup Sets
===================
BS Key Type LV Size Device Type Elapsed Time Completion Time
------- ---- -- ---------- ----------- ------------ -------------------
339 Full 13.25M DISK 00:00:01 2021-06-25:05:27:22
BP Key: 368 Status: AVAILABLE Compressed: NO Tag: ENCRYPTED_USERS
Piece Name: /oracle/fra/RMANDB/backupset/2021_06_25/o1_mf_nnndf_ENCRYPTED_USERS_jfc4v9xl_.bkp
List of Datafiles in backup set 339
File LV Type Ckp SCN Ckp Time Abs Fuz SCN Sparse Name
---- -- ---- ---------- ------------------- ----------- ------ ----
7 Full 2977458 2021-06-25:05:27:21 NO /oracle/dados/RMANDB/datafile/o1_mf_users_h8nyrkn7_.dbf
Para termos certeza, podemos executar a consulta abaixo:
RMAN> SELECT S.RECID AS "BS_REC", P.RECID AS "BP_REC", P.ENCRYPTED FROM V$BACKUP_PIECE P, V$BACKUP_SET S WHERE P.SET_STAMP = S.SET_STAMP AND P.SET_COUNT = S.SET_COUNT AND P.TAG ='ENCRYPTED_USERS';
BS_REC BP_REC ENC
---------- ---------- ---
339 368 YES
Agora, vamos reiniciar o nosso banco de dados:
RMAN> SHUTDOWN IMMEDIATE;
database closed
database dismounted
Oracle instance shut down
RMAN> STARTUP;
connected to target database (not started)
Oracle instance started
database mounted
database opened
Total System Global Area 1610612016 bytes
Fixed Size 8658224 bytes
Variable Size 402653184 bytes
Database Buffers 1191182336 bytes
Redo Buffers 8118272 bytes
Ao tentar executar o banco com criptografia, um erro é reportado pois nosso keystore está fechado:
RMAN> SET ENCRYPTION ON;
executing command: SET encryption
RMAN> BACKUP TABLESPACE users TAG 'ENCRYPTED_USERS';
Starting backup at 2021-06-25:05:31:13
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=76 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oracle/dados/RMANDB/datafile/o1_mf_users_h8nyrkn7_.dbf
channel ORA_DISK_1: starting piece 1 at 2021-06-25:05:31:13
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 06/25/2021 05:31:14
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open
Desse modo, vamos abrir manualmente o keystore:
RMAN> sql 'ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle';
sql statement: ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY oracle
Agora nosso backup rodou com sucesso:
RMAN> SET ENCRYPTION ON;
executing command: SET encryption
RMAN> BACKUP TABLESPACE users TAG 'ENCRYPTED_USERS';
Starting backup at 2021-06-25:05:32:34
using channel ORA_DISK_1
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oracle/dados/RMANDB/datafile/o1_mf_users_h8nyrkn7_.dbf
channel ORA_DISK_1: starting piece 1 at 2021-06-25:05:32:34
channel ORA_DISK_1: finished piece 1 at 2021-06-25:05:32:35
piece handle=/oracle/fra/RMANDB/backupset/2021_06_25/o1_mf_nnndf_ENCRYPTED_USERS_jfc552rq_.bkp tag=ENCRYPTED_USERS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 2021-06-25:05:32:35
Starting Control File and SPFILE Autobackup at 2021-06-25:05:32:35
piece handle=/oracle/fra/RMANDB/autobackup/2021_06_25/o1_mf_s_1076131955_jfc5549m_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 2021-06-25:05:32:38
Auto-login Software Keystore
Nesse método, o Keystore sempre se mantém aberto, sem a necessidade de intervenção de um DBA. Para isso, vamos criar um Auto-Login Keystore com o comando abaixo (onde um novo arquivo chamado cwallet.sso será criado em nosso diretório):
[oracle@oel8 admin]$ sqlplus / as sysdba
SQL*Plus: Release 18.0.0.0.0 - Production on Fri Jun 25 05:38:12 2021
Version 18.13.0.0.0
Copyright (c) 1982, 2018, Oracle. All rights reserved.
Connected to:
Oracle Database 18c Enterprise Edition Release 18.0.0.0.0 - Production
Version 18.13.0.0.0
SQL> ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE '/oracle/dados/RMANDB/keystore' IDENTIFIED BY oracle;
keystore altered.
SQL> !ls -la /oracle/dados/RMANDB/keystore
total 12
drwxr-xr-x. 2 oracle oinstall 85 Jun 25 05:38 .
drwxr-x---. 9 oracle oinstall 126 Jun 25 04:57 ..
-rw-------. 1 oracle oinstall 4040 Jun 25 05:38 cwallet.sso
-rw-------. 1 oracle oinstall 2555 Jun 25 05:06 ewallet_2021062508065797_RMAN.p12
-rw-------. 1 oracle oinstall 3995 Jun 25 05:06 ewallet.p12
Reiniciando o banco de dados para termos certeza que mesmo o seu restart não exige abrirmos a keystore:
SQL> SHU IMMEDIATE;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> STARTUP;
ORACLE instance started.
Total System Global Area 1610612016 bytes
Fixed Size 8658224 bytes
Variable Size 520093696 bytes
Database Buffers 1073741824 bytes
Redo Buffers 8118272 bytes
Database mounted.
Database opened.
Realizando o backup com criptografia, onde o erro de que a wallet está fechada não é reportado:
[oracle@oel8 admin]$ rman target /
Recovery Manager: Release 18.0.0.0.0 - Production on Fri Jun 25 05:41:33 2021
Version 18.13.0.0.0
Copyright (c) 1982, 2018, Oracle and/or its affiliates. All rights reserved.
connected to target database: RMANDB (DBID=3825250984)
RMAN> SET ENCRYPTION ON;
executing command: SET encryption
using target database control file instead of recovery catalog
RMAN> BACKUP TABLESPACE users TAG 'BSS';
Starting backup at 2021-06-25:05:41:45
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=68 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/oracle/dados/RMANDB/datafile/o1_mf_users_h8nyrkn7_.dbf
channel ORA_DISK_1: starting piece 1 at 2021-06-25:05:41:45
channel ORA_DISK_1: finished piece 1 at 2021-06-25:05:41:47
piece handle=/oracle/fra/RMANDB/backupset/2021_06_25/o1_mf_nnndf_BSS_jfc5pb1h_.bkp tag=BSS comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:02
Finished backup at 2021-06-25:05:41:47
Starting Control File and SPFILE Autobackup at 2021-06-25:05:41:47
piece handle=/oracle/fra/RMANDB/autobackup/2021_06_25/o1_mf_s_1076132507_jfc5pcnz_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 2021-06-25:05:41:48
Validando que realmente o backup foi criptografado:
RMAN> SELECT S.RECID AS "BS_REC", P.RECID AS "BP_REC", P.ENCRYPTED FROM V$BACKUP_PIECE P, V$BACKUP_SET S WHERE P.SET_STAMP = S.SET_STAMP AND P.SET_COUNT = S.SET_COUNT AND P.TAG ='BSS';
BS_REC BP_REC ENC
---------- ---------- ---
343 372 YES
Obs: Este procedimento foi criado pelo senhor Ahmed Baraka (www.ahmedbaraka.com) e foi apenas reproduzido por mim em um laboratório pessoal para fins de aprendizado.
Portuguese
English
Spanish