Backup Encryption is an optional and easily configurable mechanism which ensures that all client data that Oracle Secure Backup writes to a backup container is encrypted. Backup encryption can be performed for both file-system data and Recovery Manager (RMAN) generated backups.
Encryption is not supported during volume duplication or volume migration. Unencrypted backup sections on a volume cannot be encrypted during a volume duplication or volume migration operation. For more information about volume duplication and volume migration, see Vaulting.
This chapter contains these sections:
Data is vital to an organization and it must be guarded against malicious intent while it is in an active state, on production servers, or in preserved state, on backup tapes. Data center security policies enable you to restrict physical access to active data. To ensure security of backup data stored on tapes, Oracle Secure Backup provides backup encryption.
You can encrypt data at the global level, client level, and job level by setting appropriate encryption policies. You can select the required algorithm and encryption options to complete the encryption process.
This section consists of the following topics, that explain backup encryption in detail:
Oracle Secure Backup enables you to perform the following types of encryption:
Software encryption is supported for hosts that have the Oracle Secure Backup software installed. It is not supported for NDMP hosts or NAS filers. The data that is backed up is encrypted before it is sent over the network to the backup storage media.
When you use software encryption for a backup, all backup image instances associated with this backup are encrypted. If software encryption is not enabled at the time the backup is created, you can encrypt a backup image instance created using the original unencrypted backup if this backup image instance is being stored in a tape device that supports hardware encryption.
Oracle Secure Backup Reference for more information about backup encryption when copying backup image instances
Hardware encryption is supported only for tape devices that support encryption such as the LTO5 tape drive. The tape device hardware performs the required data encryption.
If a backup that uses hardware encryption is copied to a disk pool, the backup image instance on the disk pool is unencrypted. However, if a backup is created using software encryption, you cannot use hardware encryption for backup image instances created using this backup.
Backup encryption is designed to be easy to implement. In the simplest scenario, you change one global policy to ensure that all data from each client is encrypted. Backup encryption also offers a large degree of configuration flexibility.
To set encryption at the global level or for a specific client, set the encryption policy to one of the following values:
All data coming from this backup domain or client must be encrypted.
All data coming from this backup domain or client may be encrypted. The decision to encrypt is deferred to the next lower priority level. This is the default setting.
You can specify encryption settings at the following levels, from highest to lowest precedence. The encryption policies are explained under "About Backup Encryption Policies"
If backup encryption is set to
required at the global level, then all backup operations within the administrative domain will be encrypted. This global policy is defined using Oracle Secure Backup defaults and policies.
If the host encryption setting is
required, then all backup operations on the host will be encrypted regardless of whether or not encryption was configured at the backup level. If the host encrypted setting is
allowed, then backups on the host will not be encrypted unless configured as part of the backup job itself or if the global encryption policy is set to
If the host and global encryption policies are set to
allowed, then backup encryption will only be performed if it is configured at the backup level.
An encryption setting specified at a higher level always takes precedence over a setting made at a lower level. For example, if you enable backup encryption at the global level, and your file-system backup job disables encryption, then the backup is still encrypted because the setting at the higher level (global level) takes precedence.
While enabling encryption for backups, you can select one of the following options:
This option specifies that the backup is encrypted.
This option specifies that the backup is not encrypted. This is the default setting.
This option specifies that the backup is not encrypted, overriding the host-required encryption setting
This option specifies a backup encrypted by Oracle Secure Backup with a user-supplied one-time passphrase. If you select this option, then you must also select an encryption algorithm option and enter a passphrase in the specify passphrase field.
rekeyfrequency policy defines when a different key is generated. For example, the policy might require that a different set of keys be generated every 30 days. Older keys are retained in a wallet-protected key store. This ensures that if a key or wallet and the associated backup tape are compromised, then only older data could be unencrypted. The default
rekeyfrequency policy for a client is inherited from the global
The encryption algorithm is inherited from the global default policy and can be overridden at the client level. Each client can use a different encryption algorithm. For example, a payroll computer can use a higher level of encryption than a test lab computer. The supported encryption algorithms are:
"About Hardware Encryption Algorithm" for more information about hardware encryption options
Oracle Secure Backup provides an interwoven encryption security model that mainly controls user-level access, host authentication, and key management. Once backup encryption is enabled, all data is encrypted using the defined encryption algorithm. The data is encrypted before it leaves the client. The encryption keys are stored in a mechanism that is protected by the Oracle Secure Backup wallet.
The administrative server is considered a secure host. All keys and wallet-protected key stores for all clients are stored on this protected computer. When a backup or restore job is started, the encryption key is passed over a SSL connection to the client that is encrypting or decrypting data. The encryption keys are retained in memory only so long as needed to perform the encryption or decryption.
The encrypted key stores are extremely valuable, because they enable encryption and decryption of all tapes. If the key stores are lost, then all data would also be lost. Best practise is to schedule frequent catalog backups of your Oracle Secure Backup administrative server using the
OSB-CATALOG-DS dataset provided as this includes a backup of you key stores. The encrypted key store format is platform independent.
Backups of Oracle Secure Backup administrative data must not be encrypted with an automatically generated key. If they were, and if the administrative server were destroyed, then recovering the decryption key used to encrypt the encryption keys would be difficult. For this reason, making a transient backup of the administrative server tree is better.
Keys can be generated either randomly, also called transparent keys, or with a passphrase. The suggested mode of operation and default value is automatic generation. Each newly created client gets an automatically generated key during the
mkhost phase. This transparent key is added to the wallet-protected key store that is specific for this client, and it remains valid for encryption until:
A key renewal event occurs
The backup administrator manually renews an automatically generated key
The backup administrator changes the key to a passphrase while providing a different passphrase
The passphrase is never stored anywhere. The hash of the passphrase and the key generated from the passphrase are stored in the encrypted store. Oracle Secure Backup does not enforce a minimum length for a passphrase.
Once the new key is created, it is added to the wallet-protected key store and marked as the active encryption key. Old encryption keys are left in the key store and used for automatic and seamless decryption of data. If clients are removed from the backup domain, then their key stores are still retained on the administrative server. This ensures that the backup administrator can always restore data no matter the age of the encrypted backup volume set.
There is one exception where a key is not automatically added to the key store. Keys for transient backups are effectively one-use keys and are not usually stored in the key store. You can override this behavior through a command line option. See "About Transient Backup Encryption" to learn more about transient backups.
When a key expires, a different key is automatically generated. For passphrase generated keys, however, there is some overhead for the backup administrator, who must type in a passphrase for each client that is using passphrase-generated keys. When a passphrase-generated key expires, Oracle Secure Backup generates a warning message stating that the backup administrator must update the passphrase for the stated client. This message is placed in the Oracle Secure Backup log files, the display output, and an email to the backup administrator.
For file-system backups, you can select encryption for the entire administrative domain, a specific client, or a specific backup job. To define encryption for a particular file-system backup job, you specify the encryption policy in the backup schedule that is associated with your file-system backup job. You can also configure encryption for on-demand backups of file-system data.
For Oracle Database backups, encryption can be specified for the administrative domain, a specific client, or a specific backup job. You specify encryption for a specific Oracle Database backup job using database backup storage selectors or through the Recovery Manager (RMAN) media management parameter
OB_ENCRYPTION. The encryption algorithm that Oracle Secure Backup uses depends on the algorithm configured for the Oracle Secure Backup host.
"Adding a Database Backup Storage Selector" for information about defining backup storage selectors
For a particular Oracle Database backup job, settings made using the
OB_ENCRYPTION parameter override the settings made using the database storage selector associated with the backup job.
If the RMAN data from the SBT is encrypted, then Oracle Secure Backup performs no further encryption. RMAN encryption satisfies a host or global
required encryption setting within Oracle Secure Backup. For example, if a host is configured with encryption
required and the backup was encrypted by RMAN, then Oracle Secure Backup does not re-encrypt the backup because the host encryption
required configuration has been met. For RMAN encrypted backups, the encryption keys are managed by the database so the host encryption key settings configured within Oracle Secure Backup would not apply.
If a host is configured for encryption
required, and if RMAN backup encryption is disabled, then Oracle Secure Backup encrypts the RMAN backups using Oracle Secure Backup encryption based on the host encryption configuration.
Values for RMAN Parameter OB_ENCRYPTION
You can set the following values for the
Oracle Secure Backup encrypts the backup data unless it has already been encrypted by RMAN.
Oracle Secure Backup does not encrypt the backup data unless either the host or global policy is set to
OFF is equivalent to specifying no value for it.
Oracle Secure Backup does not encrypt the database backup, overriding any host or domain encryption settings that are set to
FORCEDOFF setting does not affect RMAN, which can still encrypt the backup data.
Oracle Secure Backup uses software encryption instead of hardware encryption. This option is provided in case you do not want hardware encryption used in some situations.
Oracle Database Backup and Recovery User's Guide for more information
Oracle Secure Backup provides policy-based backup encryption securing the backup data on tape whether the tapes are onsite, offsite, or lost. This section explains backup encryption for different types of backups monitored by encryption policies.
In some cases you may need to back up a set of data from backup domain Site A and restore it at backup domain Site B. The backup set might contain backup files for several clients. Each client backup file is encrypted to a client-specific encryption key, which was probably used in recent backups at Site A. For Site B to decrypt the data, you would have to collect all keys used in encrypting the data at Site A and then ship those keys to Site B.
This scenario would be a serious threat to security because these keys were used in other recent backups. Oracle Secure Backup enables cross-site backup encryption without this security threat by encrypting data at the volume set level for a given backup job. The key for volume set encryption is based on a passphrase. The data is encrypted against this passphrase-generated key for all clients that are part of this backup job. The backup administrator of Site A gives the passphrase and encryption algorithm used to Site B. The passphrase and encryption algorithm are provided when Site B does the restore operation, and the data can be decrypted.
In all other cases, the encryption keys for backup encryption are automatically added to the appropriate wallet-protected key store. A transient key, however, is a one-time key used mainly for moving data to a remote location. Transient encryption keys, therefore, are not stored in the protected key stores by default. Oracle Secure Backup does provide an option to the backup administrator to store the transient encryption key in the key store.
Oracle Secure Backup supports transient passphrase encryption only for file-system backups. For Oracle Databases, use RMAN to create and restore transient passphrase encrypted backups.
The disadvantage of encrypting backup data using RMAN or Oracle Secure Backup is the performance impact. Determining this impact can be difficult, and its importance depends on your circumstances. If you want encryption without performance impact, Oracle Secure Backup supports hardware-based encryption on select LTO and T10000 tape drive formats.
The LTO and T10000 interface to hardware encryption is implemented through the SCSI specification for hardware encryption. Other vendors offer similar hardware, and their products are certified for use with Oracle Secure Backup as they are tested and approved by Oracle. Information about every tape device supported by Oracle Secure Backup is available at the following URL:
Hardware-based encryption brings no changes to the existing Oracle Secure Backup encryption model. All that is required for hardware-based encryption, other than the selected tape drive hardware, is that encryption be turned on at the policy, host, or backup job level within Oracle Secure Backup. All encryption decisions, policies, key management, and settings regarding hardware-based encryption are identical with those for software-based encryption.
You select hardware-based encryption either by selecting the tape drive for a backup or by having nothing but the select tape drives in your Oracle Secure Backup administrative domain. Oracle Secure Backup turns on the encryption feature within the tape drive with SCSI commands and sends the encryption key to the tape drive. Encryption is performed by the LTO and T10000 drive formats in hardware instead of in software by Oracle Secure Backup. If a drive that supports hardware encryption is not found, or if there is no compatible tape in the drive, then the existing Oracle Secure Backup software encryption model is used.
If a drive that supports hardware encryption contains a compatible tape but needs an additional compatible tape to complete a backup, then Oracle Secure Backup looks for an additional LTO or T10000 tape. If it finds one, it mounts the supporting tape and continues with the backup. If Oracle Secure Backup cannot mount an additional compatible tape, then the job state shows as
Running and input is required by the backup operator.
It is not possible to back up using hardware-based encryption and then restore using software-based encryption. Nor is it possible to back up using software-based encryption and then restore using hardware-base encryption.
You can disable hardware-based encryption on transient backups with the
--disablehardwareencryption option of the
backup command.This option forces Oracle Secure Backup to use software-based encryption for the backup.
You can also disable hardware encryption by setting the
enablehardwareencryption backup encryption policy to
In any transcript, log, or report where Oracle Secure Backup shows encryption settings
on/off/forcedoff/rman, hardware-based encryption adds
transient_hardware settings for data that was encrypted by the selected tape drive.
Job transcripts show encryption type and algorithm.
Output of the
--long command includes encryption type.
Following is an example of the output of the
ob> lssection --long Backup section OID: 114 Containing volume: passphrase-mf-000001 Containing volume OID: 119 File: 2 Section: 1 Backup level: 0 Client: storabck34 Encryption: hardware Algorithm: aes256 Created: 2014/02/25.15:30 Size: 1.9 MB
Output of the
--long command shows if a volume can be encrypted in a Tape Attributes field. Possible values are
unknown value persists until a tape is mounted and Oracle Secure Backup can determine if it supports hardware encryption.
--geometry command reports on the availability of hardware encryption.
Oracle Secure Backup supports encryption algorithms AES128, AES192, and AES256 for software-based encryption. In addition to host-based software encryption, Oracle Secure Backup also supports tape drive hardware encryption for compatible tape formats like LTO and T10000 as listed on the Oracle Secure Backup tape drive compatibility device matrix. Oracle Secure Backup automatically chooses the AES256 algorithm while performing tape drive encryption. Oracle Secure Backup encryption key management is identical whether performing host-based software encryption or tape drive encryption.
When a hardware-encrypted backup job completes, the job transcript and all other reports display the AES256 encryption algorithm. The archive section database and the tape header also show that the AES256 algorithm was used for the encryption.
This behavior matters only when you do a hardware-encrypted transient backup and do not store the key. In this situation, you must supply the AES256 algorithm when doing a restore. If the
--store option was used on a hardware-encrypted transient backup, then the algorithm is not needed.
Hardware-based encryption in Oracle Secure Backup is controlled by two backup encryption policies:
By default, Oracle Secure Backup automatically leverages tape drive encryption over host-based encryption. If the policy value is changed to
no, then Oracle Secure Backup does software-based encryption instead of hardware based encryption.
If this policy is set to its default value
no, then Oracle Secure Backup first attempts to mount a tape capable of hardware encryption. If that is not possible, then Oracle Secure Backup falls back to software encryption. If the policy value is changed to
yes, then Oracle Secure Backup puts the job into a pending state until a hardware-encryptable tape is made available.
This policy is ignored if the tape drive is incapable of hardware encryption or cannot identify encryption-capable tapes.
"Enabling Hardware Encryption" for detailed information on the steps to enable hardware encryption.
Suppose the backup administrator is planning to move all home directories from one host to another and does not want to copy files directly between these two hosts. The backup administrator wants instead to back up a dataset worth of data to a tape, restore it to another host, and immediately destroy the tapes or the contents of the tapes after the transfer. The backup administrator does not want to use encryption because of the processing overhead that occurs.
In this special case, the backup administrator can use the
forcedoff command. This command overrides global and client encryption settings and performs an unencrypted backup. Transcripts and all other reports for this job then state that encryption was forcibly disabled for this backup set. There is a similar mechanism available to RMAN backups using the
OB_ENCRYPTION variable from within RMAN.
Oracle Secure Backup Reference for complete syntax and semantics of the
backup command in
By default the initial global and client backup encryption policy settings are
allowed. Encryptions keys are generated automatically with a default AES192 encryption algorithm. If the backup administrator decides that the default configuration is sufficient for the enterprise, then no configuration is required. This section describes the configuration of a more complicated case.
In this more complicated enterprise, there are three classes of hosts that need differing types and amount of encryption:
These clients require encryption only for source code backup operations in a dataset called sourcecode.
This client requires AES256 encryption with a different encryption key each week.
This client requires all data to be encrypted using a passphrase-generated key.
There are no options that must be changed for developer clients. The backup administrator instead updates the backup job for the sourcecode dataset that is used to back up the developer computers. If the backup schedule does not yet exist, then the backup administrator creates a backup schedule with a
mksched --dataset sourcecode --type backup --encryption yes SourceCode
If the backup schedule exists, then the backup administrator uses the
chsched command with the same options specified.
The payroll host requires changes to the default client policies and settings for the encryption algorithm, key regeneration time, and client encryption flags. The backup administrator can make these changes with a
chhost -algorithm aes256 -encryption required -rekeyfrequency 1week Payroll
This ensures that all data from the payroll client is always encrypted to the AES256 algorithm with a different key encryption key each week.
The default encryption is sufficient for the CEO client, but the backup administrator must change the encryption key type to passphrase-generated. This can be done with another
chhost --keytype passphrase TheBoss
You will be prompted to enter the passphrase. Once the initial configuration has been performed there is minimal additional overhead managing backup encryption.
Since the keys are managed in the keystore internal to Oracle Secure Backup the passphrase should not be entered on the command line while restoring a backup. The
restore command would not make any reference to this passphrase and the key management is transparent.
Host based passphrase and transparent encryption do not differ in the way encryption is handled. The only difference is the manner in which the encryption keys were created.
The encryption state is displayed as part of the job transcript during a backup operation for both file-system and RMAN backups.
Oracle Secure Backup enables you to restore encrypted backups on different domains. For example, you encrypt a backup on domain A, you can restore this backup on domain B.
ob> backup --level full --at 2013/09/17.21:00 --priority 10 --privileged --encryption transient --algorithm aes128 --passphrase transient --dataset mydatasets1/test.ds --go Info: backup request 1 (dataset mydatasets1/test.ds) submitted; job id is admin/3.
Data is encrypted at the client level. Each client has its own set of keys. One key is the active key used for encrypting backups. Older keys are used to seamlessly restore older backups that were created with those keys.
Oracle Secure Backup does not encrypt backups of NAS devices. Oracle Secure Backup encryption is performed on the client host where Oracle Secure Backup software has been installed. Because backup software cannot be installed directly on NAS devices, NDMP is used for backup and restore operations.
"About Catalog Import Encryption" for more information about encrypting backup catalog data
To enable backup encryption at the global level, for the entire administrative domain:
The Configure page appears.
The Configure: Defaults and Policies page appears.
The Configure: Defaults and Policies: Backupencryption page appears.
To enable backup encryption at the host level:
The Configure page appears.
The Configure: Hosts page appears.
You can enable encryption at the backup level. The encryption settings at the backup level override the global encryption policy settings.
To enable encryption for transient backups:
"About Transient Backup Encryption" for detailed information on encrypting transient backups
To change the values of hardware encryption policies:
Follow the steps in "Displaying the Oracle Secure Backup Web Tool Home Page".
From the Oracle Secure Backup Home page, click Configure.
The Configure page appears.
In the Advanced section, click Defaults and Policies.
The Configure: Defaults and Policies page appears.
In the Policy column, click backupencryption.
The Configure: Defaults and Policies > backupencryption page appears as shown in Figure 12-1.
Figure 12-1 Encryption Policies
To put backup jobs in a pending state if an encryptable tape is not loaded in the compatible tape drive, select yes in the Require encryptable media list.
The Configure: Defaults and Policies page displays a success message.