Data Centers

Encrypt backups using Oracle 10gR2's RMAN

No IT pros want their company to make headline news because of a data breach. You can make your data less vulnerable to theft by using a new feature in Oracle 10g Release 2 that lets you make encrypted backups via Recovery Manager.

A spate of recent news stories has highlighted the importance of protecting database backups. Backup tapes stolen from banks, brokerage houses, retail stores, and even the IRS have exposed data from millions of customers (source: Chronology of Data Breaches).

Weekly Oracle tips in your inbox
TechRepublic's free Oracle newsletter, delivered each Wednesday, covers automating Oracle utilities, generating database alerts, solving directed graph problems, and more.
Automatically sign up today!

Once your data leaves the security of the Oracle database, it is vulnerable to theft. In Oracle 10g Release 2 (Oracle 10gR2), you can encrypt your backups as you make them instead of having to use a third-party tool to do the encryption/decryption. Upon restoring these backups, Oracle will automatically decrypt the data.

There are three forms of encryption available in Oracle 10gR2: transparent (the default), password, or dual-mode.

Transparent
The transparent option is designed for backups that will be restored to the same server. The Oracle Encryption Wallet, which is part of the Advanced Security option, must be configured first. The wallet contains encryption/decryption credentials. Then, because the transparent option is the default, you would add the following to your Recovery Manager (RMAN) script:

SET ENCRYPTION ON

Password
The password option is useful when you're sending a backup to another site — it requires no advance setup on either end. You add the following to your RMAN backup script:

SET ENCRYPTION ON IDENTIFIED BY 'password' ONLY

When restoring a backup made with password encryption, you must supply the original password:

SET DECRYPTION IDENTIFIED BY 'password'

If you lose the password, the data cannot be restored. Also, be sure to protect your RMAN script, as it contains the password.

Dual-mode
The dual-mode option lets you decrypt either transparently or by using a password. You can use this if you normally restore to the same server but occasionally need to transfer it to another server where the Oracle Encryption Wallet doesn't exist. This option is similar to the password option but with the word ONLY left off:

SET ENCRYPTION ON IDENTIFIED BY 'password'

Three final notes to keep in mind: Encrypted backups will take longer to perform due to the extra overhead involved; be sure to thoroughly test both backup and restore scripts; and measure the time required.

Miss a tip?

Check out the Oracle archive, and catch up on our most recent Oracle tips.

Bob Watkins (OCP, MCDBA, MCSE, MCT) is a computer professional with 25 years of experience as a technical trainer, consultant, and database administrator. Visit Bob's site.

Editor's Picks

Free Newsletters, In your Inbox