Skip to Main Content
  • Questions
  • Database with TDE tablespace encryption and RMAN encryption turned off (Doc ID 819167.1)

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Ankit.

Asked: June 30, 2020 - 3:37 am UTC

Last updated: April 18, 2023 - 3:20 am UTC

Version: 19c

Viewed 1000+ times

You Asked

Hi Team,

I would like to understand the scenario, where we have:
- TDE enabled at tablespace level.
- RMAN encryption turned off

Will the backup be still encrypted?

As per oracle document - Doc ID 819167.1
First paragraph in Solution section, it states:

"RMAN does not de-encrypt TDE data when backing it up. When using column encryption, these columns as well as other data in the tables are encrypted again during the backup. If you are using tablespace encryption these are not further encrypted during backups. If you have RMAN encryption turned off but are using tablespace encryption on the database then the functionality is the same. RMAN can just back them up as they are without any decryption/re-encryption overhead. Wallet is not needed for this case."

Need your advice and to understand the line "If you have RMAN encryption turned off but are using tablespace encryption on the database then the functionality is the same"

What is "functionality is the same", backup will be encrypted with TDE or it will not be encrypted.

Thanks a lot.
Ankit

and Connor said...

Lets assume we're doing an image copy (a backup piece is not really different but image copy makes the explanation easier).

RMAN without encryption backing up a datafile (as an imagecopy) means that an exact replica of the file is taken. It is like like an OS copy command.

- If that file is part of a tablespace that is NOT encrypted via TDE, then naturally the data in there is plain to see (as much as any data in a datafile is).

- If that file is part of a tablespace that IS encrypted via TDE, then even that its an exact copy, the contents are encrypted (not by RMAN) because they are *already* encrypted by TDE. THis is why RMAN (even with RMAN-level encryption turned on, does not need to apply further encryption, and to do so would serve no benefit)


Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Restore/Recovering Backup With Encrypted TBS on Another Database

Kayode, May 26, 2022 - 5:33 pm UTC

Just have following question on your last statement

"- If that file is part of a tablespace that IS encrypted via TDE, then even that its an exact copy, the contents are encrypted (not by RMAN) because they are *already* encrypted by TDE. THis is why RMAN (even with RMAN-level encryption turned on, does not need to apply further encryption, and to do so would serve no benefit)"

What if i need to restore/recovery this backup onto another database, and i know the encrypted key password. What is the process of successfully restoreing/recovering the backup on the databse server
Connor McDonald
May 27, 2022 - 5:41 am UTC

In a nutshell, you copy the TDE wallet from the source host to the target, at which point you can then restore the TDE database.

If you want a full walkthough, here's a nice post on it

https://database-heartbeat.com/2021/07/06/restore-a-tde-encrypted-cloud-database-backup-to-another-availability-domain-oci-region-or-on-premises/

RMAN encryption with Auto-login keystore

DeeCeePee, April 13, 2023 - 4:17 pm UTC

If you configure your auto-login keystore how does that affect encryption of backups(19c)?
Does RMAN encryption need to be set to ON?
Will the auto-login keystore result in all backups being encrypted?
Connor McDonald
April 18, 2023 - 3:20 am UTC

By default, just having an auto login key store does not enforce backup encryption

You would still need to do:

RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

or similar

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database