10 Archiving Backups to Cloud

This procedure for archive-to-cloud builds on the techniques used for copy-to-tape. The difference is that it sends backups to cloud repositories for longer term storage.

This procedure includes steps for configuring a credential wallet to store TDE master keys, because backups are encrypted before they are archived to a cloud repository. The initial configuration tasks are performed in the Oracle Key Vault to prepare the wallet. RACLI commands were developed to assist configuring the Recovery Appliance for archive-to-cloud and using the wallet. At the end, a job template is created and run for archive-to-cloud.

Note:

When the backups are created as space-efficient backups (using compression and TDE encryption), their restoration requires the Recovery Appliance, because it has access to the wallet with the respective TDE master keys. As such, these backups cannot be restored directly from the media.

Note:

Best practics for key and wallet management.
  • Database must be configured with TDE Encryption/Wallet (File or OKV).
    • CDB and every PDB must have encryption key enabled.
    • RMAN password-based encryption not supported (must use auto-login wallet)
  • File based wallet / OKV must be backed up separately. The wallets and keys are not allowed to be stored on the same system as backups
  • No keys should ever be removed from the wallet, because virtual fulls may contains blocks from L0/L1s that were taken when different master keys were in effect.