基于口令的加密

SET ENCRYPTION ON IDENTIFIED BY 'oracle' only;
run{
}

基于钥匙的加密

创建一个目录用于存放keystore:

$ mkdir /data/app/db/admin/cydb/wallet

编辑 sqlnet.ora,指定keystore存放位置:

ENCRYPTION_WALLET_LOCATION=
 (SOURCE=
  (METHOD=file)
   (METHOD_DATA=
    (DIRECTORY=/data/app/db/admin/cydb/wallet)))

注意: 重启监听和实例,否则后面打开wallet时会报如下错误:
ORA-28354: Encryption wallet, auto login wallet, or HSM is already open

创建keystore文件

$ sqlplus / as sysdba (SYSKM);
SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/data/app/db/admin/cydb/wallet' IDENTIFIED BY mypassword;

打开keystore文件

SQL> ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY mypassword;

生成key

SQL> ADMINISTER KEY MANAGEMENT SET KEY 
IDENTIFIED BY mypassword
WITH BACKUP USING 'for_12c';

除了可以在生成key的时候顺便备份key,也可以在后面单独备份key,备份的key就在上面定义的目录中:

SQL> ADMINISTER KEY MANAGEMENT BACKUP KEYSTORE IDENTIFIED BY mypassword;

打开wallet

ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "mypassword";

备份
可以配置RMAN以打开加密:

RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON
RMAN> CONFIGURE ENCRYPTION FOR TABLESPACE <tablespace_name> ON

也可以在RMAN会话中设置set encryption on/off。
注意:基于口令的加密不能做持久性配置,只能通过set命令完成。

使用加密备份示例:

SET ENCRYPTION ON;
run {
backup datafile 7;
}

Dual-Mode Encryption

SET ENCRYPTION ON IDENTIFIED BY password     即不要only关键字

设置加密算法

可以通过配置RMAN来实现,也可以通过SET命令只对会话生效:
RMAN> SET ENCRYPTION ALGORITHM 'algorithm name'

还原加密备份

使用password加密备份还原示例:

SET DECRYPTION IDENTIFIED BY 'oracle';
run{
restore and recover ....
}

使用key加密备份还原示例:

RMAN> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "mypassword";
RMAN> alter database datafile 7 offline;
RMAN> restore datafile 7;     将报错
RMAN> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "mypassword";
RMAN> restore datafile 7;    成功

恢复加密备份时,如果是基于口令,必须给出所有涉及到的口令,用密码隔开,如果是基于key则不需要。Oracle的key管理机制会归档所有使用过的key。
Oracle key management infrastructure archives all previous master keys in the keystore (or wallet), changing or resetting the current database master key does not affect your ability to restore encrypted backups performed using an older master key. You may reset the database master key at any time, but RMAN will always be able to restore all encrypted backups that were ever created by this database

-- By 许望(RHCA、OCM、VCP)
最后修改:2019 年 10 月 19 日 10 : 39 AM
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏