April 2005 Ameratrade loses a backup tape containing information on 200,000 customers.
February 2005 Bank of America loses backup tapes containing information on 1.2 million charge cards.
September 2011, SAIC loses backup tapes of 4.9 Million members of the military who sought medical treatment in the San Antonio area. The data contained name, social security numbers, phone numbers and medical information. This data was not encrypted.
SAIC made the following statement: “Retrieving data on the tapes, which were stolen from a company employee’s car is not likely to happen because doing so requires knowledge of and access to specific hardware and software and knowledge of the system and data structures.” Excuse me if this does not make me feel better. I can get on eBay to get the hardware needed and download the software from any number of vendors to do the restore. Yes if the backup was done from Oracle or DB2 or MS SQL Server then you would need the software from the vendor. What if this theft was targeted and the thief knew what they were after?
I can go on and on about backup tapes that are lost out of the back seat of an employees’ car. And to be honest; I have transported tapes in my car too. However; when I reflect on transporting critical information in my car, I now get the hebegebes. Now we use a bonded courier to transport backup tapes.
Backup tapes are also being shipped to someplace like Iron Mountain. But lets face it, the people who are handling your backup tapes are low paid employees who could be influenced to look the other way. If someone really wants your backup tapes there is a way for someone to get your backup tape.
What are the options for encrypting backups.
- Use rman encryption.
- Encrypt the backup files on the OS.
For option 1, using rman to encrypt. There are a few options you can use a password to encrypt the backup or you can use a wallet to encrypt the backup.
If the backup is being sent offsite, using a password to encrypt the backup may be your better option.
If the backup is being sent to a Disaster Recovery site to build a standby database, using the wallet may be the better option.
Right now we are addressing sending a backup offsite so lets walk through the process of building an encrypted backup using a password.
First find out what encryption algorithms are supported.
SQL> select ALGORITHM_NAME, ALGORITHM_DESCRIPTION
2 from V$RMAN_ENCRYPTION_ALGORITHMS;
ALGORITHM_ ALGORITHM_DESCRIPTION
———- —————————————————————-
AES128 AES 128-bit key
AES192 AES 192-bit key
AES256 AES 256-bit key
SQL>
Of the algorithms that are available, AES256 is the strongest one available. So we are going to select AES256 for our encryption.
RMAN> set encryption algorithm ‘aes256’ identified by A_Passphrase_that_you_select;
executing command: SET encryption
using target database control file instead of recovery catalog
Using “set encryption algorithm’ command we did two things. One we set the algorithm that will be used for the backup and we set the passphrase that we need to decrypt the backup.
Next we are going to run the backup like we would normally do.
RMAN> backup as compressed backupset database format ‘/home/oracle/backup/encrypted_with_password%u%d.backup’;
Starting backup at 02-AUG-12
using channel ORA_DISK_1
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00003 name=/opt/oracle/oradata/orcl/sysaux01.dbf
input datafile file number=00001 name=/opt/oracle/oradata/orcl/system01.dbf
input datafile file number=00002 name=/opt/oracle/oradata/orcl/example01.dbf
input datafile file number=00004 name=/opt/oracle/oradata/orcl/undotbs01.dbf
input datafile file number=00006 name=/opt/oracle/oradata/orcl/users01.dbf
channel ORA_DISK_1: starting piece 1 at 02-AUG-12
channel ORA_DISK_1: finished piece 1 at 02-AUG-12
piece handle=/home/oracle/backup/encrypted_with_password0dnhl9n6ORCL.backup tag=TAG20120802T170333 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:02:35
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current control file in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 02-AUG-12
channel ORA_DISK_1: finished piece 1 at 02-AUG-12
piece handle=/home/oracle/backup/encrypted_with_password0enhl9s1ORCL.backup tag=TAG20120802T170333 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 02-AUG-12
RMAN>
How do we decrypt the backup when we need to restore. It’s that simple.
RMAN> set decryption identified by A_Passphrase_that_you_select;
executing command: SET decryption
using target database control file instead of recovery catalog
RMAN> restore database;
Starting restore at 02-AUG-12
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=20 device type=DISK
skipping datafile 1; already restored to file /opt/oracle/oradata/orcl/system01.dbf
skipping datafile 2; already restored to file /opt/oracle/oradata/orcl/example01.dbf
skipping datafile 3; already restored to file /opt/oracle/oradata/orcl/sysaux01.dbf
skipping datafile 4; already restored to file /opt/oracle/oradata/orcl/undotbs01.dbf
skipping datafile 6; already restored to file /opt/oracle/oradata/orcl/users01.dbf
restore not done; all files read only, offline, or already restored
Finished restore at 02-AUG-12
RMAN>
Okay, I did not need to restore the database, but it’s good to know that this works.
Now you don’t have an excuse not encrypt your backups.