RMAN备份加密

在备份文件的传输过程中，出于安全性的考虑，就会使用备份文件加密的功能。
Oracle提供了三种加密方式：
（1）透明模式：此为默认加密方式，需要Oracle密钥管理设施可用并且已配置，即Oracle钱包功能的使用。
（2）混合模式：支持钱包管理和密码管理两种方式，本地恢复时使用钱包，远程主机恢复时使用密码。
（3）密码模式：不需要Oracle钱包管理器的介入，只需要备份或恢复时，指定加解密的密码即可。操作相对简单方便快捷。

本文章仅讨论密码模式的实现步骤及操作。

1.查看当前数据库加密设置和加密算法

RMAN> show encryption for database;

using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

RMAN> show encryption algorithm;

RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

2.查看当前支持的加密算法

SQL> select * from v$rman_encryption_algorithms;

ALGORITHM_ID  ALGORITHM_NAME ALGORITHM_DESCRIPTIO IS_DEFAULT RESTORE_ONLY
------------ --------------- -------------------- ---------- ------------
	 1           AES128	       AES 128-bit key	     YES	     NO
	 2           AES192	       AES 192-bit key	      NO	     NO
	 3           AES256	       AES 256-bit key	      NO	     NO

3.开启数据库级别备份加密

RMAN> configure encryption for database on;

4.设置加密算法

RMAN> configure encryption algorithm 'AES256';

5.采用密码方式加密

[oracle@network-bind rmanback]$ rman target /

RMAN> show encryption for database;

using target database control file instead of recovery catalog
RMAN configuration parameters for database with db_unique_name ORCL are:
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

RMAN> set encryption on identified by "oracle" only;

executing command: SET encryption

RMAN> backup database format '/rmanback/orcl_full_%U';

Starting backup at 10-JUL-23
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=38 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00003 name=/oradata/orcl/undotbs01.dbf
input datafile file number=00001 name=/oradata/orcl/system01.dbf
input datafile file number=00002 name=/oradata/orcl/sysaux01.dbf
input datafile file number=00004 name=/oradata/orcl/users01.dbf
input datafile file number=00010 name=/oradata/orcl/big1.dbf
input datafile file number=00011 name=/oradata/orcl/big2.dbf
input datafile file number=00012 name=/oradata/orcl/lxj01.dbf
input datafile file number=00013 name=/oradata/orcl/fqcs1.dbf
input datafile file number=00014 name=/oradata/orcl/fqcs2.dbf
input datafile file number=00009 name=/oradata/orcl/p2.dbf
input datafile file number=00006 name=/oradata/orcl/test_b.dbf
input datafile file number=00007 name=/oradata/orcl/test_c.dbf
input datafile file number=00005 name=/oradata/orcl/p1.dbf
input datafile file number=00008 name=/oradata/orcl/audit_tbs1.dbf
channel ORA_DISK_1: starting piece 1 at 10-JUL-23
channel ORA_DISK_1: finished piece 1 at 10-JUL-23
piece handle=/rmanback/orcl_full_1o20t962_1_1 tag=TAG20230710T093249 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:01:07
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current control file in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 10-JUL-23
channel ORA_DISK_1: finished piece 1 at 10-JUL-23
piece handle=/rmanback/orcl_full_1p20t985_1_1 tag=TAG20230710T093249 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 10-JUL-23

Recovery Manager complete.

6.测试备份加密是否成功

[oracle@network-bind rmanback]$ sqlplus / as sysdba

SQL> shutdown abort
SQL> startup mount

[oracle@network-bind rmanback]$ ll
total 2422616
-rw-r----- 1 oracle oinstall 2470764544 Jul 10 09:33 orcl_full_1o20t962_1_1
-rw-r----- 1 oracle oinstall    9994240 Jul 10 09:33 orcl_full_1p20t985_1_1

[oracle@network-bind rmanback]$ rman target /

RMAN> catalog backuppiece '/rmanback/orcl_full_1o20t962_1_1';

using target database control file instead of recovery catalog
cataloged backup piece
backup piece handle=/rmanback/orcl_full_1o20t962_1_1 RECID=22 STAMP=1141810538

RMAN> catalog backuppiece '/rmanback/orcl_full_1p20t985_1_1';

cataloged backup piece
backup piece handle=/rmanback/orcl_full_1p20t985_1_1 RECID=23 STAMP=1141810568

RMAN> restore database;

Starting restore at 10-JUL-23
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=19 device type=DISK

skipping datafile 5; already restored to file /oradata/orcl/p1.dbf
skipping datafile 6; already restored to file /oradata/orcl/test_b.dbf
skipping datafile 8; already restored to file /oradata/orcl/audit_tbs1.dbf
skipping datafile 9; already restored to file /oradata/orcl/p2.dbf
skipping datafile 10; already restored to file /oradata/orcl/big1.dbf
skipping datafile 11; already restored to file /oradata/orcl/big2.dbf
skipping datafile 12; already restored to file /oradata/orcl/lxj01.dbf
skipping datafile 13; already restored to file /oradata/orcl/fqcs1.dbf
skipping datafile 14; already restored to file /oradata/orcl/fqcs2.dbf
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00001 to /oradata/orcl/system01.dbf
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/sysaux01.dbf
channel ORA_DISK_1: restoring datafile 00003 to /oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: restoring datafile 00004 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/test_c.dbf
channel ORA_DISK_1: reading from backup piece /rmanback/orcl_full_1o20t962_1_1
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 07/10/2023 09:36:38
ORA-19870: error while restoring backup piece /rmanback/orcl_full_1o20t962_1_1
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open  --此时，恢复会出现报错，备份加密成功，需设置密码解密备份。

7.设置密码解密恢复

RMAN> set decryption identified by "oracle";

executing command: SET decryption

RMAN> restore database;

Starting restore at 10-JUL-23
using channel ORA_DISK_1

skipping datafile 5; already restored to file /oradata/orcl/p1.dbf
skipping datafile 6; already restored to file /oradata/orcl/test_b.dbf
skipping datafile 8; already restored to file /oradata/orcl/audit_tbs1.dbf
skipping datafile 9; already restored to file /oradata/orcl/p2.dbf
skipping datafile 10; already restored to file /oradata/orcl/big1.dbf
skipping datafile 11; already restored to file /oradata/orcl/big2.dbf
skipping datafile 12; already restored to file /oradata/orcl/lxj01.dbf
skipping datafile 13; already restored to file /oradata/orcl/fqcs1.dbf
skipping datafile 14; already restored to file /oradata/orcl/fqcs2.dbf
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00001 to /oradata/orcl/system01.dbf
channel ORA_DISK_1: restoring datafile 00002 to /oradata/orcl/sysaux01.dbf
channel ORA_DISK_1: restoring datafile 00003 to /oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: restoring datafile 00004 to /oradata/orcl/users01.dbf
channel ORA_DISK_1: restoring datafile 00007 to /oradata/orcl/test_c.dbf
channel ORA_DISK_1: reading from backup piece /rmanback/orcl_full_1o20t962_1_1
channel ORA_DISK_1: piece handle=/rmanback/orcl_full_1o20t962_1_1 tag=TAG20230710T093249
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:01:05
Finished restore at 10-JUL-23  --此时，恢复正常完成。

RMAN> exit

Recovery Manager complete.