12 Managing Backup Encryption

Backup Encryption is an optional and easily configurable mechanism which ensures that all client data that Oracle Secure Backup writes to a backup container is encrypted. Backup encryption can be performed for both file-system data and Recovery Manager (RMAN) generated backups.


Encryption is not supported during volume duplication or volume migration. Unencrypted backup sections on a volume cannot be encrypted during a volume duplication or volume migration operation. For more information about volume duplication and volume migration, see Vaulting.

This chapter contains these sections:

12.1 Overview of Backup Encryption

Data is vital to an organization and it must be guarded against malicious intent while it is in an active state, on production servers, or in preserved state, on backup tapes. Data center security policies enable you to restrict physical access to active data. To ensure security of backup data stored on tapes, Oracle Secure Backup provides backup encryption.

You can encrypt data at the global level, client level, and job level by setting appropriate encryption policies. You can select the required algorithm and encryption options to complete the encryption process.

This section consists of the following topics, that explain backup encryption in detail:

12.1.1 Types of Backup Encryption

Oracle Secure Backup enables you to perform the following types of encryption:

  • Software encryption

    Software encryption is supported for hosts that have the Oracle Secure Backup software installed. It is not supported for NDMP hosts or NAS filers. The data that is backed up is encrypted before it is sent over the network to the backup storage media.

    When you use software encryption for a backup, all backup image instances associated with this backup are encrypted. If software encryption is not enabled at the time the backup is created, you can encrypt a backup image instance created using the original unencrypted backup if this backup image instance is being stored in a tape device that supports hardware encryption.

    See Also:

    Oracle Secure Backup Reference for more information about backup encryption when copying backup image instances

  • Hardware encryption

    Hardware encryption is supported only for tape devices that support encryption such as the LTO5 tape drive. The tape device hardware performs the required data encryption.

    If a backup that uses hardware encryption is copied to a disk pool, the backup image instance on the disk pool is unencrypted. However, if a backup is created using software encryption, you cannot use hardware encryption for backup image instances created using this backup.

12.1.2 About Backup Encryption Policies

Backup encryption is designed to be easy to implement. In the simplest scenario, you change one global policy to ensure that all data from each client is encrypted. Backup encryption also offers a large degree of configuration flexibility.

To set encryption at the global level or for a specific client, set the encryption policy to one of the following values:

  • required

    All data coming from this backup domain or client must be encrypted.

  • allowed

    All data coming from this backup domain or client may be encrypted. The decision to encrypt is deferred to the next lower priority level. This is the default setting.

12.1.3 About Backup Encryption Setting Levels

You can specify encryption settings at the following levels, from highest to lowest precedence. The encryption policies are explained under "About Backup Encryption Policies"

  1. Global

    If backup encryption is set to required at the global level, then all backup operations within the administrative domain will be encrypted. This global policy is defined using Oracle Secure Backup defaults and policies.

  2. Client

    If the host encryption setting is required, then all backup operations on the host will be encrypted regardless of whether or not encryption was configured at the backup level. If the host encrypted setting is allowed, then backups on the host will not be encrypted unless configured as part of the backup job itself or if the global encryption policy is set to required.

  3. Job

    If the host and global encryption policies are set to allowed, then backup encryption will only be performed if it is configured at the backup level.

An encryption setting specified at a higher level always takes precedence over a setting made at a lower level. For example, if you enable backup encryption at the global level, and your file-system backup job disables encryption, then the backup is still encrypted because the setting at the higher level (global level) takes precedence.

12.1.4 About Backup Encryption Options

While enabling encryption for backups, you can select one of the following options:

  • yes

    This option specifies that the backup is encrypted.

  • no

    This option specifies that the backup is not encrypted. This is the default setting.

  • forced off

    This option specifies that the backup is not encrypted, overriding the host-required encryption setting

  • transient

    This option specifies a backup encrypted by Oracle Secure Backup with a user-supplied one-time passphrase. If you select this option, then you must also select an encryption algorithm option and enter a passphrase in the specify passphrase field.

    A client rekeyfrequency policy defines when a different key is generated. For example, the policy might require that a different set of keys be generated every 30 days. Older keys are retained in a wallet-protected key store. This ensures that if a key or wallet and the associated backup tape are compromised, then only older data could be unencrypted. The default rekeyfrequency policy for a client is inherited from the global rekeyfrequency policy.

12.1.5 About Backup Encryption Algorithms

The encryption algorithm is inherited from the global default policy and can be overridden at the client level. Each client can use a different encryption algorithm. For example, a payroll computer can use a higher level of encryption than a test lab computer. The supported encryption algorithms are:

  • AES128

  • AES192

  • AES256

See Also:

"About Hardware Encryption Algorithm" for more information about hardware encryption options

12.1.6 About Backup Encryption Security Control

Oracle Secure Backup provides an interwoven encryption security model that mainly controls user-level access, host authentication, and key management. Once backup encryption is enabled, all data is encrypted using the defined encryption algorithm. The data is encrypted before it leaves the client. The encryption keys are stored in a mechanism that is protected by the Oracle Secure Backup wallet.

The administrative server is considered a secure host. All keys and wallet-protected key stores for all clients are stored on this protected computer. When a backup or restore job is started, the encryption key is passed over a SSL connection to the client that is encrypting or decrypting data. The encryption keys are retained in memory only so long as needed to perform the encryption or decryption.

The encrypted key stores are extremely valuable, because they enable encryption and decryption of all tapes. If the key stores are lost, then all data would also be lost. Best practise is to schedule frequent catalog backups of your Oracle Secure Backup administrative server using the OSB-CATALOG-DS dataset provided as this includes a backup of you key stores. The encrypted key store format is platform independent.

Backups of Oracle Secure Backup administrative data must not be encrypted with an automatically generated key. If they were, and if the administrative server were destroyed, then recovering the decryption key used to encrypt the encryption keys would be difficult. For this reason, making a transient backup of the administrative server tree is better.

12.1.7 About Backup Encryption Key Management

Keys can be generated either randomly, also called transparent keys, or with a passphrase. The suggested mode of operation and default value is automatic generation. Each newly created client gets an automatically generated key during the mkhost phase. This transparent key is added to the wallet-protected key store that is specific for this client, and it remains valid for encryption until:

  • A key renewal event occurs

  • The backup administrator manually renews an automatically generated key

  • The backup administrator changes the key to a passphrase while providing a different passphrase

    The passphrase is never stored anywhere. The hash of the passphrase and the key generated from the passphrase are stored in the encrypted store. Oracle Secure Backup does not enforce a minimum length for a passphrase.

Once the new key is created, it is added to the wallet-protected key store and marked as the active encryption key. Old encryption keys are left in the key store and used for automatic and seamless decryption of data. If clients are removed from the backup domain, then their key stores are still retained on the administrative server. This ensures that the backup administrator can always restore data no matter the age of the encrypted backup volume set.


There is one exception where a key is not automatically added to the key store. Keys for transient backups are effectively one-use keys and are not usually stored in the key store. You can override this behavior through a command line option. See "About Transient Backup Encryption" to learn more about transient backups.

When a key expires, a different key is automatically generated. For passphrase generated keys, however, there is some overhead for the backup administrator, who must type in a passphrase for each client that is using passphrase-generated keys. When a passphrase-generated key expires, Oracle Secure Backup generates a warning message stating that the backup administrator must update the passphrase for the stated client. This message is placed in the Oracle Secure Backup log files, the display output, and an email to the backup administrator.

12.1.8 About Backup Encryption for File-System Backups

For file-system backups, you can select encryption for the entire administrative domain, a specific client, or a specific backup job. To define encryption for a particular file-system backup job, you specify the encryption policy in the backup schedule that is associated with your file-system backup job. You can also configure encryption for on-demand backups of file-system data.

12.1.9 About Backup Encryption for Oracle Database Backups

For Oracle Database backups, encryption can be specified for the administrative domain, a specific client, or a specific backup job. You specify encryption for a specific Oracle Database backup job using database backup storage selectors or through the Recovery Manager (RMAN) media management parameter OB_ENCRYPTION. The encryption algorithm that Oracle Secure Backup uses depends on the algorithm configured for the Oracle Secure Backup host.

See Also:

"Adding a Database Backup Storage Selector" for information about defining backup storage selectors

For a particular Oracle Database backup job, settings made using the OB_ENCRYPTION parameter override the settings made using the database storage selector associated with the backup job.

If the RMAN data from the SBT is encrypted, then Oracle Secure Backup performs no further encryption. RMAN encryption satisfies a host or global required encryption setting within Oracle Secure Backup. For example, if a host is configured with encryption required and the backup was encrypted by RMAN, then Oracle Secure Backup does not re-encrypt the backup because the host encryption required configuration has been met. For RMAN encrypted backups, the encryption keys are managed by the database so the host encryption key settings configured within Oracle Secure Backup would not apply.

If a host is configured for encryption required, and if RMAN backup encryption is disabled, then Oracle Secure Backup encrypts the RMAN backups using Oracle Secure Backup encryption based on the host encryption configuration.

Values for RMAN Parameter OB_ENCRYPTION

You can set the following values for the OB_ENCRYPTION parameter:

  • ON

    Oracle Secure Backup encrypts the backup data unless it has already been encrypted by RMAN.

  • OFF

    Oracle Secure Backup does not encrypt the backup data unless either the host or global policy is set to required. Setting OB_ENCRYPTION to OFF is equivalent to specifying no value for it.


    Oracle Secure Backup does not encrypt the database backup, overriding any host or domain encryption settings that are set to required. The FORCEDOFF setting does not affect RMAN, which can still encrypt the backup data.


    Oracle Secure Backup uses software encryption instead of hardware encryption. This option is provided in case you do not want hardware encryption used in some situations.

See Also:

Oracle Database Backup and Recovery User's Guide for more information

12.2 Overview of Software-Based Encryption

Oracle Secure Backup provides policy-based backup encryption securing the backup data on tape whether the tapes are onsite, offsite, or lost. This section explains backup encryption for different types of backups monitored by encryption policies.

12.2.1 About Transient Backup Encryption

In some cases you may need to back up a set of data from backup domain Site A and restore it at backup domain Site B. The backup set might contain backup files for several clients. Each client backup file is encrypted to a client-specific encryption key, which was probably used in recent backups at Site A. For Site B to decrypt the data, you would have to collect all keys used in encrypting the data at Site A and then ship those keys to Site B.

This scenario would be a serious threat to security because these keys were used in other recent backups. Oracle Secure Backup enables cross-site backup encryption without this security threat by encrypting data at the volume set level for a given backup job. The key for volume set encryption is based on a passphrase. The data is encrypted against this passphrase-generated key for all clients that are part of this backup job. The backup administrator of Site A gives the passphrase and encryption algorithm used to Site B. The passphrase and encryption algorithm are provided when Site B does the restore operation, and the data can be decrypted.

In all other cases, the encryption keys for backup encryption are automatically added to the appropriate wallet-protected key store. A transient key, however, is a one-time key used mainly for moving data to a remote location. Transient encryption keys, therefore, are not stored in the protected key stores by default. Oracle Secure Backup does provide an option to the backup administrator to store the transient encryption key in the key store.

Oracle Secure Backup supports transient passphrase encryption only for file-system backups. For Oracle Databases, use RMAN to create and restore transient passphrase encrypted backups.

See Also:

12.3 Overview of Hardware-Based Encryption

The disadvantage of encrypting backup data using RMAN or Oracle Secure Backup is the performance impact. Determining this impact can be difficult, and its importance depends on your circumstances. If you want encryption without performance impact, Oracle Secure Backup supports hardware-based encryption on select LTO and T10000 tape drive formats.

The LTO and T10000 interface to hardware encryption is implemented through the SCSI specification for hardware encryption. Other vendors offer similar hardware, and their products are certified for use with Oracle Secure Backup as they are tested and approved by Oracle. Information about every tape device supported by Oracle Secure Backup is available at the following URL:


Hardware-based encryption brings no changes to the existing Oracle Secure Backup encryption model. All that is required for hardware-based encryption, other than the selected tape drive hardware, is that encryption be turned on at the policy, host, or backup job level within Oracle Secure Backup. All encryption decisions, policies, key management, and settings regarding hardware-based encryption are identical with those for software-based encryption.

You select hardware-based encryption either by selecting the tape drive for a backup or by having nothing but the select tape drives in your Oracle Secure Backup administrative domain. Oracle Secure Backup turns on the encryption feature within the tape drive with SCSI commands and sends the encryption key to the tape drive. Encryption is performed by the LTO and T10000 drive formats in hardware instead of in software by Oracle Secure Backup. If a drive that supports hardware encryption is not found, or if there is no compatible tape in the drive, then the existing Oracle Secure Backup software encryption model is used.

If a drive that supports hardware encryption contains a compatible tape but needs an additional compatible tape to complete a backup, then Oracle Secure Backup looks for an additional LTO or T10000 tape. If it finds one, it mounts the supporting tape and continues with the backup. If Oracle Secure Backup cannot mount an additional compatible tape, then the job state shows as Running and input is required by the backup operator.


It is not possible to back up using hardware-based encryption and then restore using software-based encryption. Nor is it possible to back up using software-based encryption and then restore using hardware-base encryption.

12.3.1 About Hardware-Encrypted Transient Backups

You can disable hardware-based encryption on transient backups with the --disablehardwareencryption option of the backup command.This option forces Oracle Secure Backup to use software-based encryption for the backup.

You can also disable hardware encryption by setting the enablehardwareencryption backup encryption policy to no.

See Also:

12.3.2 About Hardware Encryption Reports and Logging

Hardware-based encryption generates no additional reports or logs, but it does affect the following existing reports and logs:

  • In any transcript, log, or report where Oracle Secure Backup shows encryption settings on/off/forcedoff/rman, hardware-based encryption adds hardware and transient_hardware settings for data that was encrypted by the selected tape drive.

  • Job transcripts show encryption type and algorithm.

  • Output of the lssection --long command includes encryption type.

    Following is an example of the output of the lssection command:

    ob> lssection --long
    Backup section OID: 114
        Containing volume: passphrase-mf-000001
        Containing volume OID: 119
        File: 2
        Section: 1
        Backup level: 0
        Client: storabck34
        Encryption: hardware
        Algorithm: aes256
        Created: 2014/02/25.15:30
        Size: 1.9 MB
  • Output of the lsvol --long command shows if a volume can be encrypted in a Tape Attributes field. Possible values are unknown, hw encryptable, and not hw encryptable. The unknown value persists until a tape is mounted and Oracle Secure Backup can determine if it supports hardware encryption.

  • The lsdev --long --geometry command reports on the availability of hardware encryption.

12.3.3 About Hardware Encryption Algorithm

Oracle Secure Backup supports encryption algorithms AES128, AES192, and AES256 for software-based encryption. In addition to host-based software encryption, Oracle Secure Backup also supports tape drive hardware encryption for compatible tape formats like LTO and T10000 as listed on the Oracle Secure Backup tape drive compatibility device matrix. Oracle Secure Backup automatically chooses the AES256 algorithm while performing tape drive encryption. Oracle Secure Backup encryption key management is identical whether performing host-based software encryption or tape drive encryption.

When a hardware-encrypted backup job completes, the job transcript and all other reports display the AES256 encryption algorithm. The archive section database and the tape header also show that the AES256 algorithm was used for the encryption.

This behavior matters only when you do a hardware-encrypted transient backup and do not store the key. In this situation, you must supply the AES256 algorithm when doing a restore. If the backup --store option was used on a hardware-encrypted transient backup, then the algorithm is not needed.

See Also:

12.3.4 About Hardware Encryption Policies

Hardware-based encryption in Oracle Secure Backup is controlled by two backup encryption policies:

  • enablehardwareencryption

    By default, Oracle Secure Backup automatically leverages tape drive encryption over host-based encryption. If the policy value is changed to no, then Oracle Secure Backup does software-based encryption instead of hardware based encryption.

  • requireencryptablemedia

    If this policy is set to its default value no, then Oracle Secure Backup first attempts to mount a tape capable of hardware encryption. If that is not possible, then Oracle Secure Backup falls back to software encryption. If the policy value is changed to yes, then Oracle Secure Backup puts the job into a pending state until a hardware-encryptable tape is made available.

    This policy is ignored if the tape drive is incapable of hardware encryption or cannot identify encryption-capable tapes.

See Also:

"Enabling Hardware Encryption" for detailed information on the steps to enable hardware encryption.

12.4 Example: Performing a One-Time Unencrypted Backup

Oracle Secure Backup enables the backup administrator to do a one-time unencrypted backup without changing global or client encryption settings.

Suppose the backup administrator is planning to move all home directories from one host to another and does not want to copy files directly between these two hosts. The backup administrator wants instead to back up a dataset worth of data to a tape, restore it to another host, and immediately destroy the tapes or the contents of the tapes after the transfer. The backup administrator does not want to use encryption because of the processing overhead that occurs.

In this special case, the backup administrator can use the backup --encryption forcedoff command. This command overrides global and client encryption settings and performs an unencrypted backup. Transcripts and all other reports for this job then state that encryption was forcibly disabled for this backup set. There is a similar mechanism available to RMAN backups using the OB_ENCRYPTION variable from within RMAN.

See Also:

Oracle Secure Backup Reference for complete syntax and semantics of the backup command in obtool

12.5 Example: Performing Day-to-Day Backup Encryption

By default the initial global and client backup encryption policy settings are allowed. Encryptions keys are generated automatically with a default AES192 encryption algorithm. If the backup administrator decides that the default configuration is sufficient for the enterprise, then no configuration is required. This section describes the configuration of a more complicated case.

In this more complicated enterprise, there are three classes of hosts that need differing types and amount of encryption:

  • Developers

    These clients require encryption only for source code backup operations in a dataset called sourcecode.

  • Payroll

    This client requires AES256 encryption with a different encryption key each week.

  • CEO

    This client requires all data to be encrypted using a passphrase-generated key.

There are no options that must be changed for developer clients. The backup administrator instead updates the backup job for the sourcecode dataset that is used to back up the developer computers. If the backup schedule does not yet exist, then the backup administrator creates a backup schedule with a mksched command:

mksched --dataset sourcecode --type backup --encryption yes SourceCode

If the backup schedule exists, then the backup administrator uses the chsched command with the same options specified.

The payroll host requires changes to the default client policies and settings for the encryption algorithm, key regeneration time, and client encryption flags. The backup administrator can make these changes with a chhost command:

chhost -algorithm aes256 -encryption required -rekeyfrequency 1week Payroll

This ensures that all data from the payroll client is always encrypted to the AES256 algorithm with a different key encryption key each week.

The default encryption is sufficient for the CEO client, but the backup administrator must change the encryption key type to passphrase-generated. This can be done with another chhost command:

chhost --keytype passphrase TheBoss

You will be prompted to enter the passphrase. Once the initial configuration has been performed there is minimal additional overhead managing backup encryption.

Since the keys are managed in the keystore internal to Oracle Secure Backup the passphrase should not be entered on the command line while restoring a backup. The restore command would not make any reference to this passphrase and the key management is transparent.

Host based passphrase and transparent encryption do not differ in the way encryption is handled. The only difference is the manner in which the encryption keys were created.

The encryption state is displayed as part of the job transcript during a backup operation for both file-system and RMAN backups.

12.6 Example: Performing Transient Backup Encryption

Oracle Secure Backup enables you to restore encrypted backups on different domains. For example, you encrypt a backup on domain A, you can restore this backup on domain B.

ob> backup --level full --at 2013/09/17.21:00 --priority 10 --privileged --encryption transient --algorithm aes128 --passphrase transient --dataset mydatasets1/test.ds --go
Info: backup request 1 (dataset mydatasets1/test.ds) submitted; job id is admin/3.

12.7 Enabling Backup Encryption

Data is encrypted at the client level. Each client has its own set of keys. One key is the active key used for encrypting backups. Older keys are used to seamlessly restore older backups that were created with those keys.


Oracle Secure Backup does not encrypt backups of NAS devices. Oracle Secure Backup encryption is performed on the client host where Oracle Secure Backup software has been installed. Because backup software cannot be installed directly on NAS devices, NDMP is used for backup and restore operations.

See Also:

"About Catalog Import Encryption" for more information about encrypting backup catalog data

12.7.1 Enabling Encryption for the Administrative Domain

To enable backup encryption at the global level, for the entire administrative domain:

  1. Follow the steps in "Displaying the Oracle Secure Backup Web Tool Home Page".
  2. From the Oracle Secure Backup Home page, click Configure.

    The Configure page appears.

  3. In the Advanced section, click Defaults and Policies.

    The Configure: Defaults and Policies page appears.

  4. In the Policy column, click backupencryption.

    The Configure: Defaults and Policies: Backupencryption page appears.

  5. For the Encryption property, select required.
  6. For the Algorithm property, select one of the following options: aes128, aes192, or aes256.

    See Also:

    "About Backup Encryption Algorithms" for information about the backup encryption algorithms

  7. For the Key Type property, select one of the following: transparent or use passphrase.

    See Also:

    "About Backup Encryption Key Management" for information about backup encryption key settings

12.7.2 Enabling Encryption for a Client

To enable backup encryption at the host level:

  1. Follow the steps in "Displaying the Oracle Secure Backup Web Tool Home Page".
  2. From the Oracle Secure Backup Home page, click Configure.

    The Configure page appears.

  3. In the Basic section, click Hosts.

    The Configure: Hosts page appears.

  4. Select the host for which you want to configure backup encryption and click Edit.
  5. For the Encryption property, select required.
  6. For the Algorithm property, select one of the following options: aes128, aes192, or aes256.

    See Also:

    "About Backup Encryption Algorithms" for information about the backup encryption algorithms

  7. For the Key Type property, select one of the following: transparent or use passphrase.

    See Also:

    "About Backup Encryption Key Management" for information about backup encryption key settings

12.7.3 Encrypting Data for Backups

You can enable encryption at the backup level. The encryption settings at the backup level override the global encryption policy settings. Enabling Encryption for a Scheduled Backup

  1. Perform steps 1 to 5 under "Adding a Backup Schedule".
  2. For Encryption, select Yes.
  3. Perform steps 6 to 8 under "Adding a Backup Schedule".
  4. Click Apply and then click OK. Enabling Encryption for an On-Demand Backup

  1. Perform steps 1 to 10 under "Adding an On-Demand Backup Request".
  2. Select the suitable encryption option for this backup.


    "About Backup Encryption Options" for detailed information on backup encryption options

  3. Click Apply and then click OK.

12.7.4 Enabling Transient Backup Encryption

To enable encryption for transient backups:

  1. Perform steps 1 to 10 under "Adding an On-Demand Backup Request".
  2. For Encryption, select transient.
  3. Enter a passphrase for secure encryption, in the specify passphrase field. Re-enter the passphrase in the verify field.
  4. Select an algorithm for this backup encryption.
  5. Click OK.

    See Also:

    "About Transient Backup Encryption" for detailed information on encrypting transient backups

12.7.5 Enabling Hardware Encryption

To change the values of hardware encryption policies:

  1. Follow the steps in "Displaying the Oracle Secure Backup Web Tool Home Page".

  2. From the Oracle Secure Backup Home page, click Configure.

    The Configure page appears.

  3. In the Advanced section, click Defaults and Policies.

    The Configure: Defaults and Policies page appears.

  4. In the Policy column, click backupencryption.

    The Configure: Defaults and Policies > backupencryption page appears as shown in Figure 12-1.

    Figure 12-1 Encryption Policies

    Description of Figure 12-1 follows
    Description of "Figure 12-1 Encryption Policies"
  5. To put backup jobs in a pending state if an encryptable tape is not loaded in the compatible tape drive, select yes in the Require encryptable media list.

  6. Click OK.

    The Configure: Defaults and Policies page displays a success message.