Encrypt backups using Oracle 10gR2's RMAN

By Bob Watkins, TechRepublic | 2008/07/10 10:50:01

Tags: backup, data, encrypt, oracle, password, security

Change the text size: a | A

A spate of recent news stories has highlighted the importance of protecting database backups. Backup tapes stolen from banks, brokerage houses, retail stores, and even the IRS have exposed data from millions of customers (source: Chronology of Data Breaches).

Once your data leaves the security of the Oracle database, it is vulnerable to theft. In Oracle 10g Release 2 (Oracle 10gR2), you can encrypt your backups as you make them instead of having to use a third-party tool to do the encryption/decryption. Upon restoring these backups, Oracle will automatically decrypt the data.

There are three forms of encryption available in Oracle 10gR2: transparent (the default), password, or dual-mode.

Transparent

The transparent option is designed for backups that will be restored to the same server. The Oracle Encryption Wallet, which is part of the Advanced Security option, must be configured first. The wallet contains encryption/decryption credentials. Then, because the transparent option is the default, you would add the following to your Recovery Manager (RMAN) script:

SET ENCRYPTION ON

Password

The password option is useful when you're sending a backup to another site -- it requires no advance set-up on either end. You add the following to your RMAN backup script:

SET ENCRYPTION ON IDENTIFIED BY 'password' ONLY

When restoring a backup made with password encryption, you must supply the original password:

SET DECRYPTION IDENTIFIED BY 'password'

If you lose the password, the data cannot be restored. Also, be sure to protect your RMAN script, as it contains the password.

Dual-mode

The dual-mode option lets you decrypt either transparently or by using a password. You can use this if you normally restore to the same server but occasionally need to transfer it to another server where the Oracle Encryption Wallet doesn't exist. This option is similar to the password option but with the word ONLY left off:

SET ENCRYPTION ON IDENTIFIED BY 'password'

Three final notes to keep in mind: Encrypted backups will take longer to perform due to the extra overhead involved; be sure to thoroughly test both backup and restore scripts; and measure the time required.

This was published in Database Jumping, check every Thursday for more stories

Log in

News and features

Latest
Popular
Features
Most Discussed

Blogs

Tools for the Semantic Web

This blog post covers some of the technologies available for creating applications for the Semantic Web. Read more »

-- posted by Lana Kovacevic
Bridging the gap between programmers and the vision

A successful project will have a hard time flying if you don't walk through the game plan before writing a line of code. Read more »

-- posted by Brendon Chase
Social news start-up Streem shuts down

Sydney social news start-up Streem will shut down this afternoon, according to a heartfelt notice posted on the site this morning by its founder Elgar Welch. Read more »

-- posted by Renai LeMay

Videos

How to Reset Windows passwords

2008/10/01 14:31:09

Play the video
Five things to consider when choosing a Linux distribution

2008/10/01 15:50:33

Play the video
Cyber-terrorism 'a big threat'

2008/12/01 12:43:32

Play the video

What's on?

Space pr0n, patent karma and Yang out -- Club Builder

On Club Builder this week: how NASA plans to get the Internet into space, Jerry Yang is out the door at Yahoo and Brendan Eich discusses javascript engine competition.

Encrypt backups using Oracle 10gR2's RMAN

By Bob Watkins, TechRepublic | 2008/07/10 10:50:01

Related links

Leave a comment

Log in

News and features

Blogs

Videos

What's on?

Featured links

Encrypt backups using Oracle 10gR2's RMAN

By Bob Watkins, TechRepublic | 2008/07/10 10:50:01

Related links

Leave a comment

Log in

News and features

Blogs

Videos

Most popular tags

What's on?

Featured links