11 Encrypting Backups

Backups can be encrypted as an option from the normal SBT job templates.

The Recovery Appliance performs block level manipulation and needs to read block headers. However, when generating a backup, the Oracle Database (RDBMS) compresses and encrypts a range of blocks including the block headers. These encryption keys are accessible on the protected database.

Thus, the behavior for generating incremental backup files has been modified. Using the same wallet or key store that the protected database uses, the TDE data files are decrypted, then just the data portion of each block is compressed and then re-encrypted.

Do not purge keys, because old blocks needed in a restore might require old TDE keys. This is particularly important to consider for backups that are put on external storage.

Assuming no external storage, a new level 0 backup can mean a fresh start with respect to keys. However wait until old backups expire and are purged before pruning old keys from the wallet. Periodic Level 0 backups can be automated to keep the number of keys from growing.

Turning on Encrypted Backups

The RMAN command to turn on encrypted backups is of the form:

CONFIGURE CHANNEL DEVICE TYPE SBT PARMS "SBT_LIBRARY=/.../rdbms/lib/libra.so, 
ENV=(RA_FORMAT=true, RA_WALLET='location=file:/.../orswlt credential_alias=myra')" ;

Once this is established, you can specify the desired encryption algorithm when performing a normal backup with your SBT job.

Compression defaults to LZO compression. If specified on the RMAN command line, it must be BASIC.

Note:

Controlfile cannot be in the same piece as incremental datafile.

The new TDE keys, however, become needed to restore older backups.

When starting with encrypted backups, a new Level 0 backup is not required. Also, re-key does not require a new Level 0.