Re: Tde and Rman

From: Jeremy Schneider <jeremy.schneider_at_ardentperf.com>
Date: Tue, 29 Sep 2015 07:32:31 -0400
Message-ID: <CA+fnDAYHvH=RvLr9q-C1B+RGmmH=c22L+me0S4DvRj4m6_UtjQ_at_mail.gmail.com>

hey max - just spent a few seconds refreshing my memory and i wanted to briefly circle back on this thread

first off, two recent oracle-l threads related to this topic might be worth reading:
http://www.freelists.org/post/oracle-l/Autostarting-wallet-question,3 https://www.freelists.org/post/oracle-l/Transparent-Data-Encryption,3

there are some important differences between "auto-login" wallets and a "local-auto-login" wallets. auto-login wallets have been around for a long time - i see references in the docs as far back as version 8.1.7 [ http://docs.oracle.com/cd/A87860_01/doc/index.htm ]. I don't see mention of *local* auto-login wallets before version 11.2. note that both use the filename "cwallet.sso"... so just by looking at the filename you can't tell if it's local or not on version 11gR2. (brilliant...)

i said in one of those old threads that i'd be hesitant to use the old "auto-login" wallet. lots of people do use them - you just need to be aware that the cwallet file *can* be copied to any server and used to decrypt data - with no password - so be very careful with them! under no circumstances should they be backed up with your data!

local wallets cannot be copied to another server, although Oracle of course hasn't published the algorithms they use to identify the local machine or obfuscate the keys - and some very security-minded folks still prefer to avoid these.

On Sun, Sep 27, 2015 at 9:40 AM, max scalf <oracle.blog3_at_gmail.com> wrote:
> So if i understand you correctly(for 11g) that as long as we replicate our
> ewallet.p12 file on the DR server and create/generate a local wallet we
> should be good to go for the restore on DR side.

yes that's correct

> So i am guessing the same rule apply, don't backup your database and the
> ewallet.p12 key to same location(especially not the cwallet.sso file, better
> of not backing this file up as it's useless elsewhere).

exactly right - and be careful since cwallet.sso is *not* useless elsewhere if it was created with the non-local option on 11gR2 or any previous version!

-Jeremy

--
http://about.me/jeremy_schneider
--
http://www.freelists.org/webpage/oracle-l

Received on Tue Sep 29 2015 - 13:32:31 CEST

This message: [ Message body ]
Next message: max scalf: "Re: Tde and Rman"
Previous message: Mark Burgess: "Database Smart Flash Cache Size Metrics"
Maybe in reply to: max scalf: "Tde and Rman"
Next in thread: max scalf: "Re: Tde and Rman"
Reply: max scalf: "Re: Tde and Rman"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message