| Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659649] |
Wed, 25 January 2017 13:42  |
 |
akoszuta
Messages: 6
Registered: January 2017
|
Junior Member |
|
|
We are researching Oracle TDE and have a few questions/concerns regarding the implications of encrypting existing databases. Most of the documentation I've found only applies to encrypting new databases, or contains minimal info about migrating existing data. Most prominently:
If we have a unencrypted database that is currently being backed up in that unencrypted state, and we implement TDE (Transparent Data Encryption), migrating ALL data to encrypted tablespaces, does that then render all of our previous backups useless?
(ie. Can you restore a previously existing unencrypted backup to a newly encrypted database?)
If not, then there's a huge risk implementing encryption, since you lose the ability to restore to a date prior to the day you encrypted your tablespaces.
Any info would be appreciated. Thanks!
|
|
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659652 is a reply to message #659649] |
Thu, 26 January 2017 01:25  |
John Watson
Messages: 8963
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
|
You have not given much detail (not even your Oracle release) but I shall assume that you are talking about transparent tablespace encryption (there is no such tings as "database encryption"). When you implemented this, you will have moved or copied your objects into new, encrypted, tablespaces and dropped the old tablespaces. There is no reason why you cannot restore your old, unencrypted, tablespaces using point-in-time recovery.
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659659 is a reply to message #659652] |
Thu, 26 January 2017 09:07 |
|
akoszuta
Messages: 6
Registered: January 2017
|
Junior Member |
|
|
It was kind of a generic question for planning purposes, not a specific issue that I'm trying to troubleshoot.
It's my understanding that the backup/recovery of TDE via RMAN works the same regardless of version, but we're mostly still on 11.2.0.3. We will be moving to a yet-to-be-determined version of 12c later on.
And yes, I am talking about tablespace encryption.
Maybe it would help if I posed a hypothetical scenario:
• We take a backup today, January 26th, via RMAN with unencrypted tablespaces.
• We implement tablespace encryption on February 2nd. (ie. exporting the data, dropping the tablespaces, creating new encrypted tablespaces with the same name, we re-import the data)
Now, let's say a developer comes to us and wants us to restore the database to January 26th. Can we simply restore via RMAN to that date? Or do we have to get into a more complex restore scenario?
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659660 is a reply to message #659659] |
Thu, 26 January 2017 10:11 |
John Watson
Messages: 8963
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
The wallet management is different between 11.x and 12.x.
It seems straightforward to me. If you back up without encrypting the backup, you don't need the wallet to restore. If you use TDE to encrypt your backup, you need the wallet to restore. I usually use dual mode encryption, so that I can restore with a password if the wallet is not available, which is usually the case if restoring on a different machine.
Are you confusing encrypted tablespaces with encrypted backups?
|
|
|
|
|
|
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659672 is a reply to message #659671] |
Thu, 26 January 2017 12:46 |
John Watson
Messages: 8963
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
So what relevance does Arup's article have? Zero. If you don't trust me (no reason why you should) you'll need to read up on Transparent Tablespace Encryption in the Advanced Security Guide and encrypting backups in the B&R Guide. Concentrate on when the encryption/decryption occurs: in the path to and from disc. Not in the SGA, not in the PGA. That should make it clear.
|
|
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659674 is a reply to message #659673] |
Thu, 26 January 2017 13:36 |
John Watson
Messages: 8963
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
You must be one of the rudest people I have come across here. Not one "thank you for your time" so far.
However, I shall try one more time. Transparent Tablespace Encryption encrypts tablespaces. A tablespace is satafiles on disc. When RMAN, or anything else, reads those files, they are decrypted. Transparently. OK so far? Your backups are not encrypted, unless you choose to encrypt them.
Of course, understanding architecture is only "nitpicking". Perhaps you need to pick a few nits yourself.
Goodbye.
|
|
|
|
| Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659675 is a reply to message #659674] |
Thu, 26 January 2017 13:51 |
|
akoszuta
Messages: 6
Registered: January 2017
|
Junior Member |
|
|
It's funny you say that, because I've never been called "rude" in a professional setting before, but I'm also not gonna sit here and get dicked around. I'd thank you for your time if you weren't wasting mine.
I don't need you to prove how exceedingly smart you are, but apparently you do. I just needed a simple answer to a simple question.
It must be hard going through life with such a fragile ego. Enjoy your little forum. Bye.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
