11 Archiving Backups to Cloud

This procedure for archive-to-cloud builds on the techniques used for copy-to-tape. The difference is that it sends backups to cloud repositories for longer term storage.

This procedure includes steps for configuring a credential wallet to store TDE master keys, because backups are encrypted before they are archived to a cloud repository. The initial configuration tasks are performed in the Oracle Key Vault to prepare the wallet. RACLI commands were developed to assist configuring the Recovery Appliance for archive-to-cloud and using the wallet. At the end, a job template is created and run for archive-to-cloud.

Note:

When the backups are created as space-efficient backups (using compression and TDE encryption), their restoration requires the Recovery Appliance, because the database communicates with the appliance to process space-efficient backups. As such, these backups cannot be restored directly from the media.

Note:

Best practics for key and wallet management.

• Database must be configured with TDE Encryption/Wallet (File or OKV).
  • CDB and every PDB must have encryption key enabled.
  • RMAN password-based encryption not supported (must use auto-login wallet)
• File based wallet / OKV must be backed up separately. The wallets and keys are not allowed to be stored on the same system as backups
• No keys should ever be removed from the wallet, because virtual fulls may contains blocks from L0/L1s that were taken when different master keys were in effect.