OraFAQ Forum: Backup & Recovery » Restoring Unencrypted Backups to a TDE Encrypted Database?

Home » RDBMS Server » Backup & Recovery » Restoring Unencrypted Backups to a TDE Encrypted Database?

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659649]

Wed, 25 January 2017 13:42

akoszuta
Messages: 6
Registered: January 2017

Junior Member

We are researching Oracle TDE and have a few questions/concerns regarding the implications of encrypting existing databases. Most of the documentation I've found only applies to encrypting new databases, or contains minimal info about migrating existing data. Most prominently:

If we have a unencrypted database that is currently being backed up in that unencrypted state, and we implement TDE (Transparent Data Encryption), migrating ALL data to encrypted tablespaces, does that then render all of our previous backups useless?

(ie. Can you restore a previously existing unencrypted backup to a newly encrypted database?)

If not, then there's a huge risk implementing encryption, since you lose the ability to restore to a date prior to the day you encrypted your tablespaces.

Any info would be appreciated. Thanks!

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659650 is a reply to message #659649]

Wed, 25 January 2017 14:49

BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal

Senior Member

Welcome to this forum

Please read and follow the forum guidelines, to enable us to help you:
OraFAQ Forum Guide
How to use {code} tags and make your code easier to read

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659652 is a reply to message #659649]

Thu, 26 January 2017 01:25

John Watson
Messages: 8977
Registered: January 2010
Location: Global Village

Senior Member

You have not given much detail (not even your Oracle release) but I shall assume that you are talking about transparent tablespace encryption (there is no such tings as "database encryption"). When you implemented this, you will have moved or copied your objects into new, encrypted, tablespaces and dropped the old tablespaces. There is no reason why you cannot restore your old, unencrypted, tablespaces using point-in-time recovery.

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659659 is a reply to message #659652]

Thu, 26 January 2017 09:07

akoszuta
Messages: 6
Registered: January 2017

Junior Member

It was kind of a generic question for planning purposes, not a specific issue that I'm trying to troubleshoot.

It's my understanding that the backup/recovery of TDE via RMAN works the same regardless of version, but we're mostly still on 11.2.0.3. We will be moving to a yet-to-be-determined version of 12c later on.

And yes, I am talking about tablespace encryption.

Maybe it would help if I posed a hypothetical scenario:

• We take a backup today, January 26th, via RMAN with unencrypted tablespaces.

• We implement tablespace encryption on February 2nd. (ie. exporting the data, dropping the tablespaces, creating new encrypted tablespaces with the same name, we re-import the data)

Now, let's say a developer comes to us and wants us to restore the database to January 26th. Can we simply restore via RMAN to that date? Or do we have to get into a more complex restore scenario?

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659660 is a reply to message #659659]

Thu, 26 January 2017 10:11

John Watson
Messages: 8977
Registered: January 2010
Location: Global Village

Senior Member

The wallet management is different between 11.x and 12.x.

It seems straightforward to me. If you back up without encrypting the backup, you don't need the wallet to restore. If you use TDE to encrypt your backup, you need the wallet to restore. I usually use dual mode encryption, so that I can restore with a password if the wallet is not available, which is usually the case if restoring on a different machine.

Are you confusing encrypted tablespaces with encrypted backups?

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659668 is a reply to message #659660]

Thu, 26 January 2017 12:24

akoszuta
Messages: 6
Registered: January 2017

Junior Member

I understand there are wallet/keystore differences between 11 and 12.

I'm only talking about encrypting tablespaces right now. It's my understanding that the data will remain encrypted through the backupsets even if RMAN encryption is not turned on.

" Since the data is stored encrypted, all downstream components, such as backup and archived logs, also have the encrypted format. "

(ref: http://www.oracle.com/technetwork/issue-archive/2005/05-sep/o55security-100471.html )

My question is simply can you use RMAN to restore a backup from before TDE (when the tablespaces were not encrypted) to a database that now has the tablespaces encrypted?

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659670 is a reply to message #659668]

Thu, 26 January 2017 12:30

John Watson
Messages: 8977
Registered: January 2010
Location: Global Village

Senior Member

Once again, you need to check your version. Arup Nanda eleven years ago was describing transparent column encryption in release 10.

[Updated on: Thu, 26 January 2017 12:31]

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659671 is a reply to message #659670]

Thu, 26 January 2017 12:35

akoszuta
Messages: 6
Registered: January 2017

Junior Member

Version is 11.2.0.3

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659672 is a reply to message #659671]

Thu, 26 January 2017 12:46

John Watson
Messages: 8977
Registered: January 2010
Location: Global Village

Senior Member

So what relevance does Arup's article have? Zero. If you don't trust me (no reason why you should) you'll need to read up on Transparent Tablespace Encryption in the Advanced Security Guide and encrypting backups in the B&R Guide. Concentrate on when the encryption/decryption occurs: in the path to and from disc. Not in the SGA, not in the PGA. That should make it clear.

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659673 is a reply to message #659672]

Thu, 26 January 2017 13:31

akoszuta
Messages: 6
Registered: January 2017

Junior Member

I've read the documentation. This scenario is not covered. If it was, I wouldn't be asking. That's what forums are for. You could just answer the question, instead of nitpicking at semantics.

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659674 is a reply to message #659673]

Thu, 26 January 2017 13:36

John Watson
Messages: 8977
Registered: January 2010
Location: Global Village

Senior Member

You must be one of the rudest people I have come across here. Not one "thank you for your time" so far.

However, I shall try one more time. Transparent Tablespace Encryption encrypts tablespaces. A tablespace is satafiles on disc. When RMAN, or anything else, reads those files, they are decrypted. Transparently. OK so far? Your backups are not encrypted, unless you choose to encrypt them.

Of course, understanding architecture is only "nitpicking". Perhaps you need to pick a few nits yourself.

Goodbye.

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659675 is a reply to message #659674]

Thu, 26 January 2017 13:51

akoszuta
Messages: 6
Registered: January 2017

Junior Member

It's funny you say that, because I've never been called "rude" in a professional setting before, but I'm also not gonna sit here and get dicked around. I'd thank you for your time if you weren't wasting mine.

I don't need you to prove how exceedingly smart you are, but apparently you do. I just needed a simple answer to a simple question.

It must be hard going through life with such a fragile ego. Enjoy your little forum. Bye.

Report message to a moderator

Previous Topic:	Transport tablespace with Oracle Standard Edition
Next Topic:	incremental 0/1 and full backup status

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Jun 05 21:59:59 CDT 2025