First, a caveat: I'm taking a stab at answering for version 11.2 which
uses the terminology "wallet" - but it all changes in 12.1 and there
are some small differences in earlier versions (e.g. around
local/auto-login wallets).
I think this is the link you're looking for:
http://www.oracle.com/technetwork/database/security/index-095354.html
The exact process depends on your compression settings, but the
important point is that TDE-encrypted data will *always* remain
encrypted in RMAN backups.
Regarding the wallets, it's the main wallet (ewallet.p12) - which is
password-protected - that counts. You need to somehow backup this file
(maybe differently than the database backups) and make sure you never
lose it. Also make sure you never lose the password that unlocks it.
Some people just keep that one written on a paper in their VP's
physical safe at the office. That main wallet - ewallet.p12 - is what
can be used to decrypt the backup at a DR site or anywhere else as
long as you have the password.
If you create an "auto-login" wallet, then that is stored in a
different file called cwallet.sso. It doesn't replace the first file
I mentioned (ewallet.p12), you just leave both files in the directory.
Oracle tries to use the cwallet.sso to decrypt if possible, and
otherwise falls back to using the default ewallet.p12 file. The
cwallet.sso file is useless on any server besides the one where it was
created and it's not a bad idea to just exclude it from your backups
entirely. (It can easily be recreated as long as you have the
ewallet.p12 file.)
This link might be helpful - though I think it's a slight oversight to
say it's a "good practice" to exclude the main wallet (ewallet.p12)
from OSB backups without explicitly mentioning that it *needs* to be
backed up by some other means:
https://docs.oracle.com/cd/E11882_01/network.112/e40393/asotrans.htm#CHDFJEEH
-Jeremy
--
http://about.me/jeremy_schneider
On Sat, Sep 26, 2015 at 1:04 PM, max scalf <oracle.blog3@xxxxxxxxx> wrote:
Hello list,--
This might be a easy question but I am trying to find a solid answer for it.
Let's say if I have Tde configured at tablespace level and nothing else and
then I start an Rman backup to disk or tape/nbu without messing around with
encryption inside Rman....will those backup files be encrypted? From the
docs I read it say encrypted data/tablespace is unchanged and backed up...so
not clear on the unchanged per.
One other thing I am confused about is, if I setup auto login local for my
Tde wallet, from what I understand is that the master key cannot be copied
over to another machine and db restored there will not work? If so how do I
restore this db in case of DR?
