Encrypt backups using Oracle 10gR2's RMAN
Takeaway: No IT pros want their company to make headline news because of a data breach. You can make your data less vulnerable to theft by using a new feature in Oracle 10g Release 2 that lets you make encrypted backups via Recovery Manager.
A spate of recent news stories has highlighted the importance of protecting database backups. Backup tapes stolen from banks, brokerage houses, retail stores, and even the IRS have exposed data from millions of customers (source: Chronology of Data Breaches).
Once your data leaves the security of the Oracle database, it is vulnerable to theft. In Oracle 10g Release 2 (Oracle 10gR2), you can encrypt your backups as you make them instead of having to use a third-party tool to do the encryption/decryption. Upon restoring these backups, Oracle will automatically decrypt the data.
There are three forms of encryption available in Oracle 10gR2: transparent (the default), password, or dual-mode.
Transparent
The transparent option is designed for backups
that will be restored to the same server. The Oracle Encryption Wallet, which
is part of the Advanced Security option, must be configured first. The wallet
contains encryption/decryption credentials. Then, because the transparent
option is the default, you would add the following to your Recovery Manager
(RMAN) script:
SET ENCRYPTION ON
Password
The password option is useful when you're sending a backup to another site --
it requires no advance setup on either end. You add the following to your RMAN
backup script:
SET ENCRYPTION ON IDENTIFIED BY 'password' ONLY
When restoring a backup made with password encryption, you must supply the original password:
SET DECRYPTION IDENTIFIED BY 'password'
If you lose the password, the data cannot be restored. Also, be sure to protect your RMAN script, as it contains the password.
Dual-mode
The dual-mode option lets you decrypt either transparently or by using a
password. You can use this if you normally restore to the same server but
occasionally need to transfer it to another server where the Oracle Encryption
Wallet doesn't exist. This option is similar to the password option but with
the word ONLY left off:
SET ENCRYPTION ON IDENTIFIED BY 'password'
Three final notes to keep in mind: Encrypted backups will take longer to perform due to the extra overhead involved; be sure to thoroughly test both backup and restore scripts; and measure the time required.
Miss a tip?
Check out the Oracle archive, and catch up on our most recent Oracle tips.
Bob Watkins (OCP, MCDBA, MCSE, MCT) is a computer professional with 25 years of experience as a technical trainer, consultant, and database administrator. Visit Bob's site.
Print/View all Posts Comments on this article
 Encryption option costs additional $$$?jburrows@... | 05/09/07 |
 Maybebwatkins | 05/11/07 |
SponsoredWhite Papers, Webcasts, and Downloads
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- IBM Balanced Warehouse - The Flexible Foundation for Real Time Business Intelligence IBM
- Sprint IPVoice Connect Fact Sheet Sprint
- Leveraging Information for Innovation and Competitive Advantage IBM
- Microsoft SQL Server and Dell EqualLogic PS Series Solution Brief Dell EqualLogic
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
