Re: Tde and Rman

From: max scalf <oracle.blog3_at_gmail.com>
Date: Sat, 26 Sep 2015 15:10:21 -0500
Message-ID: <CAKoJ+qB1vVuUp4a7+i0=Wp1CMEivTbhu3ush8ontwMyjKy=RWA_at_mail.gmail.com>

Thanks Jeremy makes sense on the first question. But for auto login, what if we use the local auto login? Can you still use that at ur dr site to restore the database? As from what I have bee reading it says if you use local auto login the those files cannot be used. I am confused about the local piece of auto login.

On Saturday, September 26, 2015, Jeremy Schneider < jeremy.schneider_at_ardentperf.com> wrote:

> First, a caveat: I'm taking a stab at answering for version 11.2 which
> uses the terminology "wallet" - but it all changes in 12.1 and there
> are some small differences in earlier versions (e.g. around
> local/auto-login wallets).
>
> I think this is the link you're looking for:
>
> http://www.oracle.com/technetwork/database/security/index-095354.html
>
> The exact process depends on your compression settings, but the
> important point is that TDE-encrypted data will *always* remain
> encrypted in RMAN backups.
>
> Regarding the wallets, it's the main wallet (ewallet.p12) - which is
> password-protected - that counts. You need to somehow backup this file
> (maybe differently than the database backups) and make sure you never
> lose it. Also make sure you never lose the password that unlocks it.
> Some people just keep that one written on a paper in their VP's
> physical safe at the office. That main wallet - ewallet.p12 - is what
> can be used to decrypt the backup at a DR site or anywhere else as
> long as you have the password.
>
> If you create an "auto-login" wallet, then that is stored in a
> different file called cwallet.sso. It doesn't replace the first file
> I mentioned (ewallet.p12), you just leave both files in the directory.
> Oracle tries to use the cwallet.sso to decrypt if possible, and
> otherwise falls back to using the default ewallet.p12 file. The
> cwallet.sso file is useless on any server besides the one where it was
> created and it's not a bad idea to just exclude it from your backups
> entirely. (It can easily be recreated as long as you have the
> ewallet.p12 file.)
>
> This link might be helpful - though I think it's a slight oversight to
> say it's a "good practice" to exclude the main wallet (ewallet.p12)
> from OSB backups without explicitly mentioning that it *needs* to be
> backed up by some other means:
>
>
> https://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#CHDFJEEH
>
> -Jeremy
>
>
> --
> http://about.me/jeremy_schneider
>
>
> On Sat, Sep 26, 2015 at 1:04 PM, max scalf <oracle.blog3_at_gmail.com
> <javascript:;>> wrote:
> > Hello list,
> >
> > This might be a easy question but I am trying to find a solid answer for
> it.
> > Let's say if I have Tde configured at tablespace level and nothing else
> and
> > then I start an Rman backup to disk or tape/nbu without messing around
> with
> > encryption inside Rman....will those backup files be encrypted? From the
> > docs I read it say encrypted data/tablespace is unchanged and backed
> up...so
> > not clear on the unchanged per.
> >
> > One other thing I am confused about is, if I setup auto login local for
> my
> > Tde wallet, from what I understand is that the master key cannot be
> copied
> > over to another machine and db restored there will not work? If so how
> do I
> > restore this db in case of DR?
>

--
http://www.freelists.org/webpage/oracle-l

Received on Sat Sep 26 2015 - 22:10:21 CEST

This message: [ Message body ]
Next message: Laimutis Nedzinskas: "RE: dataguard and operators"
Previous message: max scalf: "Tde and Rman"
Maybe in reply to: max scalf: "Tde and Rman"
Next in thread: Jeremy Schneider: "Re: Tde and Rman"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message