Re: Alternatives to RMAN cleartext password in batch file for backups?

From: Nuno Souto <>
Date: Mon, 25 Apr 2011 15:09:42 +1000
Message-ID: <>

(heavily snipped to protect my sanity)

You know what rattles me with this problem? I've been hearing variations of it for decades now. First with ufi/sql+, after with just about anything cli driven. And Oracle still hasn't listened or provided a workable solution besides "purchase yet another extra option"...
The solution is simple but no one seems to be listening. As usual.

Nuno Souto
in sunny Sydney, Australia

Mark W. Farnham wrote,on my timestamp of 25/04/2011 4:30 AM:

> Or you can echo the password in as the start of a pipeline.
> -----Original Message-----
> From: []
> On Behalf Of D'Hooge Freek
> Sent: Sunday, April 24, 2011 2:21 PM
> To:;
> Cc:;
> Subject: RE: Alternatives to RMAN cleartext password in batch file for
> backups?
> Alan,
> I think that if you start rman with the password on the command line like
> below, the password will be visible via the process list (ps or pargs).
> To avoid this, you should modify the script so that the connection to the
> database or repository is done in the rman script itself.
> I have not had the chance to test it, so I reserve the right to be mistaken.
> Sent: zondag 24 april 2011 17:52
> To:
> Cc:;
> Subject: Re: Alternatives to RMAN cleartext password in batch file for
> backups?
> Well, you must use a decryptable encryption for this to work, but you could
> always call RMAN like this:
> $!/bin/bash
> CATALOG_PASSWORD=`decrypt_command encrypted_password_file`
> rman target / catalog catalog_user/${CATALOG_PASSWORD}_at_SID script ...
> Where the decrypt_command is a command that returns a cleartext password
> from the 'encrypted_password_file'. It's not the best solution as anyone
> with execute permissions on decrypt_command and/or read permissions on
> encrypted_password_file would be able to access the cleartext password. But
> then again,in several cases security guidelines are not about security, but
> about compliance.
> On Sun, Apr 24, 2011 at 12:27 AM, Thomas Roach<> wrote:
> Why don't you encrypt your shell script?
> set oracle_sid=mydatadb
> rman target / catalog mycatusr/mycatpwd_at_mycatdb script Daily_Backup>>
> backup.log
> My organization requires the catalog password (mycatpwd) above to be
> encrypted and not stored as clear text in any other file or environment
> variable. How can I still use this batch file for scheduled backups without
> providing a clear text password?
> The only option I can think of is to compile the commands into a binary
> executable. Any other ideas besides that?
Received on Mon Apr 25 2011 - 00:09:42 CDT

Original text of this message