Configuring Space-Efficient Encrypted Backups

WIth RA 23.1, space-efficient encrypted backups are supported. This allows incremental backups to be compressed and encrypted to the Recovery Appliance. Virtual full backups are created on the Recovery Appliance in this new format and can be restored by RMAN. This features supports TDE and non-TDE databases.

Note:

Space-efficient encrypted backups are only supported on databases running on Linux platforms.

Space-efficient encrypted virtual full backups that are copied or archived to cloud/tape are only supported for RMAN restore through the Recovery Appliance. These backups cannot be restored directly to databases with RMAN.

Space-efficient encrypted backups are supported for data files, not real-time redo or archived redo log backups. To encrypt real-time redo to the Recovery Appliance, the log archive destination must be configured as ENCRYPTION=ENABLE, such as LOG_ARCHIVE_DEST_3='SERVICE=denver ENCRYPTION=ENABLE'.

It is recommended to use Oracle Key Vault for storing and managing database keys, because these are required for backup, restore, and recovery operations. This also allows the keys to be stored and managed separately outside the database for security purposes.

The LIBRA.SO module supports both the space-efficient encrypted option (RA23.1) and the legacy mode (RA21.1). In both modes, the external password store is created in the same way, but then the RMAN SBT channels is configured differently.

The RMAN command to enable space-efficient encrypted backups is of the form:

CONFIGURE CHANNEL DEVICE TYPE SBT PARMS "SBT_LIBRARY=/.../rdbms/lib/libra.so, 
ENV=(RA_FORMAT=true, RA_WALLET='location=file:/.../orswlt credential_alias=myra')" ;

Once this is established, you can specify the desired encryption algorithm when performing a normal backup with your SBT job.

Compression defaults to LZO compression. If specified on the RMAN command line, it must be BASIC.

Note:

Controlfile cannot be in the same piece as incremental datafile.

The new TDE keys, however, become needed to restore older backups.

When starting with encrypted backups, a new Level 0 backup is not required. Also, re-key does not require a new Level 0.

This information applies to RA 23.1 and later.

  1. Create a secure external password store (mkstore). The following command creates an Oracle wallet that stores the credentials of the Recovery Appliance user named ravpc1:

    $ mkstore                         \
      -wrl $ORACLE_HOME/oracle/wallet \
      -createALO                      \
      -createCredential zdlra01ingest-scan.acme.com:1521/zdlra01:dedicated ravpc1
    

    Refer to: Creating an Oracle Wallet on the Protected Database

  2. An RMAN SBT channel is configured with the SBT_LIBRARY parameter pointing to the Recovery Appliance backup module. The complete path of the shared library libra.so is specified. The RA_WALLET parameter represents the location of the Oracle wallet that stores the credentials used to authenticate this protected database with the Recovery Appliance. ra-scan is the SCAN of the Recovery Appliance and zdlra5 is the service name of the Recovery Appliance metadata database.

    CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' 
    PARMS 'SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
    ENV=(RA_FORMAT=true,
    RA_WALLET=location=file:/u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/zdlracredential_alias=ra-scan:1521/zdlra5:dedicated)' 
    FORMAT '%U_%d';
  3. In addition to this, RMAN compression and RMAN encryption needs to be configured. This can be done either one time or as part of each backup job.

    configure compression algorithm  'low';
    set encryption on;
    configure device type 'sbt_tape' backup type to compressed backupset;
  4. An RMAN SBT channel is allocated with the SBT_LIBRARY parameter specifying the complete path of the Recovery Appliance backup module. The ENV setting is used to specify the configuration parameters used by the Recovery Appliance backup module. ra-scan is the SCAN of the Recovery Appliance and zdlra5 is the service name of the Recovery Appliance metadata database.

    set echo on
    configure compression algorithm 'low';
    set encryption on;
    configure device type 'sbt_tape' backup type to compressed backupset;
    RUN{ALLOCATE CHANNEL c1 DEVICE TYPE sbt_tape 
    PARMS='SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
    ENV=(RA_FORMAT=true, 
    RA_WALLET=location=file:/u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/zdlracredential_alias=ra-scan:1521/zdlra5:dedicated)' 
    FORMAT '%U_%d';
    BACKUP INCREMENTAL LEVEL 1 FILESPERSET 1 SECTION SIZE 64G DATABASE PLUS ARCHIVELOG NOT BACKED UP FILESPERSET 8;}
  5. The above is performed by the protected database, and the Recovery Appliance administrator does not need to know this is happening. However, the Recovery Appliance administrator can prevent un-encrypted data from being sent to the appliance. This is achieved with the CREATE_PROTECTION_POLICY or UPDATE_PROTECTION_POLICY and specifying the parameter SECURE_MODE = YES.

    SQL> exec dbms_ra.update_protection_policy(
    protection_policy_name => ‘GOLD’, 
    secure_mode => ‘YES’);
  6. After this configuration, if an attempt is made to run an unencrypted (legacy) backup, an error message occurs similar to:

    RMAN-00571:
    ===========================================================RMAN-00569: =============== ERROR
    MESSAGE STACK FOLLOWS ===============RMAN-00571:
    ===========================================================RMAN-03009: failure of backup
    command on channel_29 channel at 01/19/2023 10:27:06ORA-27192: skgfcls: sbtclose2
    returned error - failed to close fileORA-19511: non RMAN, but media
    manager or vendor specific failure, error text:KBHS-01404:  See trace file
    /u01/app/oracle/diag/rdbms/<dbuniquename>/<sid>/trace/sbtio_204486_140658931245376.log  for
    detailsKBHS-00719: Error 'recovery
    appliance Error'; ORA-64868: Only RMAN encrypted backups are supported on this Recovery
    Appliance.
    KBHS-00700: HTTP
  7. Additionally, if real-time redo is enabled, then the LAD parameter needs to be set ENCRYPTION=enable.

    ALTER SYSTEM SET LOG_ARCHIVE_DEST_3='SERVICE=boston 
    VALID_FOR=(ALL_LOGFILES, ALL_ROLES) 
    ASYNC DB_UNIQUE_NAME=zdlra2 encryption=enable' SCOPE=BOTH;

    Without this, Recovery Appliance administrator sees the message.

    2023-01-19T18:25:41.933868+00:00
    Recovery Appliance failure on ospid: 221805; 
    Errors: ORA-64869: Unencrypted redo is not allowed for database <dbname>.