Welcome 微信登录

首页 / 数据库 / MySQL / 三种Oracle RMAN备份加密策略

数据安全,特别是企业核心业务数据的安全问题,是当今全社会共同关注的问题。从前几天轰轰烈烈的携程服务终止,风闻数据库被删除事件,到去年多次发生的互联网公司用户账号密码外泄风波,都不断挑战业界紧绷的神经。在当今社会,数据就是财富已经不是乌托邦,而是彻彻底底的现实。出现过信息泄露安全事故的企业,在商誉和品牌上的损失都是难以评估的。从信息系统的角度看,备份是我们DBA的命脉,也是我们的“后手”。只要有备份,只要数据不丢,都有回旋的余地和空间。针对备份的安全,也是各种信息化安全标准均重要强调之处。备份的安全,主要体现在两个层面上:备份有效性和备份不被非法使用。备份有效性是运维人员的噩梦,关键场合却发现备份不可用或者有坏块,是足以让运维人员吐血的场景。备份不被非法使用,是保证备份集合数据不会被非法的还原到其他环境中去。作为Oracle官方推荐的备份恢复工具,RMAN提供了三种安全加密策略来确保备份不被非法使用。本篇主要来介绍这三种基本策略。1、环境介绍笔者选择Oracle 11g进行测试,版本编号为11.2.0.4。SQL> select * from v$version;BANNER--------------------------------------------------------------------------------Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionPL/SQL Release 11.2.0.4.0 - ProductionCORE    11.2.0.4.0    ProductionTNS for Linux: Version 11.2.0.4.0 - ProductionNLSRTL Version 11.2.0.4.0 - Production为了使用rman进行热备份,开启归档模式。SQL> select log_mode from v$database;LOG_MODE------------ARCHIVELOGRMAN备份安全的三种策略分别为:密码口令安全、Oracle Wallet安全和混合加密安全。--------------------------------------推荐阅读 --------------------------------------RMAN 配置归档日志删除策略 http://www.linuxidc.com/Linux/2013-11/92670.htmOracle基础教程之通过RMAN复制数据库 http://www.linuxidc.com/Linux/2013-07/87072.htmRMAN备份策略制定参考内容 http://www.linuxidc.com/Linux/2013-03/81695.htmRMAN备份学习笔记 http://www.linuxidc.com/Linux/2013-03/81892.htmOracle数据库备份加密 RMAN加密 http://www.linuxidc.com/Linux/2013-03/80729.htm--------------------------------------分割线 --------------------------------------下面分别介绍三种策略:2、密码口令安全密码口令安全如其名称,就是在加密解密过程中都需要交互式的密码输入。配置密码口令就在RMAN本身的配置中即可。RMAN> show encryption for database ;RMAN configuration parameters for database with db_unique_name SICSSTB are:CONFIGURE ENCRYPTION FOR DATABASE OFF; # defaultRMAN> show encryption algorithm;RMAN configuration parameters for database with db_unique_name SICSSTB are:CONFIGURE ENCRYPTION ALGORITHM "AES128"; # default默认RMAN是不启用加密机制的。加密问题一定跟随着加密算法,默认加密算法为AES128。查看视图v$RMAN_ENCRYPTION_ALGORITHMS,可以看到当前可以使用的加密算法。SQL> select * from v$rman_encryption_algorithms;ALGORITHM_ID ALGORITHM_NAME  ALGORITHM_DESCRIPTION    IS_DEFAULT RESTORE_ONLY------------ --------------- ------------------------- ---------- ------------          1 AES128          AES 128-bit key          YES        NO          2 AES192          AES 192-bit key          NO        NO          3 AES256          AES 256-bit key          NO        NO使用口令加密,首先使用set encryption命令设置上口令。RMAN> set encryption on identified by "test" only;executing command: SET encryptionRMAN> show encryption for database;RMAN configuration parameters for database with db_unique_name SICSSTB are:CONFIGURE ENCRYPTION FOR DATABASE OFF; # default注意后面的only标记,一定要加入进来。下面可以进行备份:RMAN> backup database plus archivelog;Starting backup at 08-JUN-15current log archivedallocated channel: ORA_DISK_1channel ORA_DISK_1: SID=137 device type=DISKchannel ORA_DISK_1: starting archived log backup setchannel ORA_DISK_1: specifying archived log(s) in backup set(篇幅原因,有省略……)Starting Control File and SPFILE Autobackup at 08-JUN-15piece handle=+RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159 comment=NONEFinished Control File and SPFILE Autobackup at 08-JUN-15备份集合状态:RMAN> list backup;List of Backup Sets===================BS Key  Size      Device Type Elapsed Time Completion Time------- ---------- ----------- ------------ ---------------1      14.01M    DISK        00:00:00    08-JUN-15             BP Key: 1  Status: AVAILABLE  Compressed: NO  Tag: TAG20150608T093841(篇幅原因,有省略……)         BP Key: 4  Status: AVAILABLE  Compressed: NO  Tag: TAG20150608T093919        Piece Name: +RECO/sicsstb/autobackup/2015_06_08/s_881833159.266.881833159  SPFILE Included: Modification time: 08-JUN-15  SPFILE db_unique_name: SICSSTB  Control File Included: Ckp SCN: 2685935      Ckp time: 08-JUN-15重启进入mount状态,尝试恢复。SQL> shutdown immediate;Database closed.Database dismounted.ORACLE instance shut down.RMAN> connect target /connected to target database (not started)RMAN> startup mount;Oracle instance starteddatabase mountedTotal System Global Area    2087780352 bytesFixed Size                    2254824 bytesVariable Size                553650200 bytesDatabase Buffers            1526726656 bytesRedo Buffers                  5148672 bytes尝试进行恢复。RMAN> restore database ;Starting restore at 08-JUN-15allocated channel: ORA_DISK_1channel ORA_DISK_1: SID=131 device type=DISK(篇幅原因,有省略……)channel ORA_DISK_1: reading from backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123RMAN-00571: ===========================================================RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============RMAN-00571: ===========================================================RMAN-03002: failure of restore command at 06/08/2015 09:46:38ORA-19870: error while restoring backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123ORA-19913: unable to decrypt backupORA-28365: wallet is not open备份集合被加密,不能读取。只能进行解密之后才能使用。RMAN> set decryption identified by "test";executing command: SET decryption之后再进行恢复操作。RMAN> restore database;Starting restore at 08-JUN-15using channel ORA_DISK_1channel ORA_DISK_1: starting datafile backup set restorechannel ORA_DISK_1: specifying datafile(s) to restore from backup setchannel ORA_DISK_1: restoring datafile 00001 to +DATA/sicsstb/datafile/system.256.878897771channel ORA_DISK_1: restoring datafile 00002 to +DATA/sicsstb/datafile/sysaux.257.878897773channel ORA_DISK_1: restoring datafile 00003 to +DATA/sicsstb/datafile/undotbs1.258.878897773channel ORA_DISK_1: restoring datafile 00004 to +DATA/sicsstb/datafile/users.259.878897773channel ORA_DISK_1: restoring datafile 00005 to +DATA/sicsstb/datafile/example.265.878897857channel ORA_DISK_1: reading from backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123channel ORA_DISK_1: piece handle=+RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t093842_0.263.881833123 tag=TAG20150608T093842channel ORA_DISK_1: restored backup piece 1channel ORA_DISK_1: restore complete, elapsed time: 00:00:35Finished restore at 08-JUN-15RMAN> recover database;Starting recover at 08-JUN-15using channel ORA_DISK_1starting media recoverymedia recovery complete, elapsed time: 00:00:00Finished recover at 08-JUN-15RMAN> alter database open;database opened那么,最后如何关闭这个属性呢?使用set encryption即可。RMAN> set encryption off;executing command: SET encryption这种策略,是比较简单的RMAN备份集合加密策略。一般正式运维场景下,是不使用这个的。更多详情见请继续阅读下一页的精彩内容: http://www.linuxidc.com/Linux/2015-06/118939p2.htm
  • 1
  • 2
  • 下一页
Oracle 修改schemas的方法一Linux下/dev/shm的大小引发ORA-00845: MEMORY_TARGET not supported on this system相关资讯      rman备份  Oracle RMAN备份策略 
  • RMAN备份报 RMAN-06059 错误  (05月13日)
  • RMAN备份文件远大于数据库大小的原  (01月09日)
  • Oracle RMAN备份之控制文件备份  (12/20/2015 20:07:06)
  • RMAN备份策略修正案例实录  (02月29日)
  • Oracle 11g R2 RAC RMAN备份脚本示  (12/27/2015 11:33:20)
  • RMAN备份时遇到ORA-19588  (07/23/2015 15:01:01)
本文评论 查看全部评论 (0)
表情: 姓名: 字数