A spate of recent news stories has highlighted the importance of protecting database backups. Backup tapes stolen from banks, brokerage houses, retail stores, and even the IRS have exposed data from millions of customers (source: Chronology of Data Breaches).
Once your data leaves the security of the Oracle database, it is vulnerable to theft. In Oracle 10g Release 2 (Oracle 10gR2), you can encrypt your backups as you make them instead of having to use a third-party tool to do the encryption/decryption. Upon restoring these backups, Oracle will automatically decrypt the data.
There are three forms of encryption available in Oracle 10gR2: transparent (the default), password, or dual-mode.
The transparent option is designed for backups that will be restored to the same server. The Oracle Encryption Wallet, which is part of the Advanced Security option, must be configured first. The wallet contains encryption/decryption credentials. Then, because the transparent option is the default, you would add the following to your Recovery Manager (RMAN) script:
SET ENCRYPTION ON
The password option is useful when you're sending a backup to another site — it requires no advance setup on either end. You add the following to your RMAN backup script:
SET ENCRYPTION ON IDENTIFIED BY 'password' ONLY
When restoring a backup made with password encryption, you must supply the original password:
SET DECRYPTION IDENTIFIED BY 'password'
If you lose the password, the data cannot be restored. Also, be sure to protect your RMAN script, as it contains the password.
The dual-mode option lets you decrypt either transparently or by using a password. You can use this if you normally restore to the same server but occasionally need to transfer it to another server where the Oracle Encryption Wallet doesn't exist. This option is similar to the password option but with the word ONLY left off:
SET ENCRYPTION ON IDENTIFIED BY 'password'
Three final notes to keep in mind: Encrypted backups will take longer to perform due to the extra overhead involved; be sure to thoroughly test both backup and restore scripts; and measure the time required.
Miss a tip?
Check out the Oracle archive, and catch up on our most recent Oracle tips.