Re: Transparent Data Encryption

From: Jeremy Schneider <jeremy.schneider_at_ardentperf.com>
Date: Thu, 12 Mar 2015 15:31:45 -0500
Message-ID: <CA+fnDAYeRW15=V48rCVfqb267bsuS5Kn_eLBKXtva5=xbPJCww_at_mail.gmail.com>

On Thu, Mar 12, 2015 at 10:05 AM, Charles Schultz <sacrophyte_at_gmail.com> wrote:
> I am very confused why RMAN does not back up the wallet if the wallet is
> critical to the operation of the database.

one very important practice - and key sentence at the quote you cited:

"The Oracle wallet should not be backed up with the encrypted data. The wallet should be backed up separately. This is especially true when using the auto login wallet, which does not require a password to open. In case the backup tape gets lost, a malicious user should not be able to get both the encrypted data and the wallet."

http://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#ASOAG9546

> Database cloning is an issue as well, as we typically do several a week. I
> have to read up, but my gut says we can use a copy of the wallet/master key.
> I might be totally wrong, but I will find out later today when I test it. :)

Yes you can copy the key. I have created data guard copies of DBs with wallets within the past few weeks and verified that you just copy the wallet over to the standby and it can open the data; same would apply to an outright clone. Just don't try to move an individual tablespace (ala TTS)... that becomes fun very quickly :)

> On Thu, Mar 12, 2015 at 9:50 AM, David Mann <dmann99_at_gmail.com> wrote:

>> Without
>> Key Vault are folks just doing these steps manually or is there a good basic
>> level of automation I should be striving for?

Key Vualt and other similar competing products are definitely nice - but I've also seen scripted management frameworks that automate wallet backups. Just remember it needs to be different destination than the DB backups themselves, and you'd better be very careful with redundancy and scripting logic... those wallets are *VERY* important and you must not lose them no matter what!!

I don't know, but I bet some backup software solutions could also specify different media for db backups vs the wallet backups. Of course the tapes might be right next to each other so there's a risk of them being stolen together, but it might be good enough in some cases...

-J

--
http://about.me/jeremy_schneider
--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 12 2015 - 21:31:45 CET

This message: [ Message body ]
Next message: Paul Drake: "Typo in 12.1.0.1 upgrade script"
Previous message: Jeremy Schneider: "Re: Autostarting wallet question."
In reply to: Charles Schultz: "Re: Transparent Data Encryption"
Next in thread: Stefan Knecht: "Re: Transparent Data Encryption"
Reply: Stefan Knecht: "Re: Transparent Data Encryption"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message