Skip to Main Content

Breadcrumb

more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

Question and Answer

Connor McDonald

Thanks for the question, Lonnie.

Asked: January 07, 2020 - 5:56 pm UTC

Answered by: Connor McDonald - Last updated: January 20, 2020 - 3:05 am UTC

Category: Database Administration - Version: 12c

Viewed 100+ times

Whilst you are here, check out some content from the AskTom team: On the Explicit, Size, and Complex

You Asked

Through attrition our team has lost the password to the Oracle Keystore (Wallet) on our current Oracle 12c database(A). We would like to backup this database and restore it to a new instance(B) which is also 12c. The database(A) contains TDE Tablespace Encryption tablespaces.

Reading here, https://docs.oracle.com/database/121/BRADV/rcmconfa.htm#BRADV89467 it would seem one could do an RMAN backup on (A) using the Password or Dual Mode encryption option and restore this backup to (B) but I cannot find any clear verbiage addressing how TDE Tablespace Encryption is handled in this scenario.

1. Is it possible to restore an RMAN backup from (A) to (B) as described?
2. Are there any other methods that would make it possible to restore a clean backup of (A) to (B) in this scenario?


Thanks!
LB

and we said...

You might need to elucidate here, because I'm curious how you're opening the *current* database, let alone a backup

SQL> administer key management create keystore 'c:\oracle\admin\db122\wallet' identified by MySecret;

keystore altered.

SQL> administer key management set keystore open identified by MySecret;

keystore altered.

SQL> alter system set encryption key identified by "MySecret";

System altered.

SQL> create tablespace TDE datafile 'X:\ORACLE\ORADATA\DB122\TDE.DBF' size 100m encryption using 'AES256' default storage(encrypt);

Tablespace created.

SQL> create table scott.enc_emp tablespace tde
  2  as select * from scott.emp;

Table created.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.

Total System Global Area 3154116608 bytes
Fixed Size                  8752112 bytes
Variable Size            1073742864 bytes
Database Buffers         2063597568 bytes
Redo Buffers                8024064 bytes
Database mounted.
Database opened.
SQL> select * from scott.enc_emp;
select * from enc_emp
              *
ERROR at line 1:
ORA-28365: wallet is not open




Are you using auto login? You need to let us know more about your setup

and you rated our response

  (2 ratings)

Reviews

January 08, 2020 - 2:48 pm UTC

Reviewer: LB from O'Fallon, IL

I presume it is auto-login as no credentials are required during startup and RMAN backups appear to run successfully. However, during a restore of (A) to (B) there is an error to the effect of "backup was encrypted and could not be read."
Connor McDonald

Followup  

January 10, 2020 - 4:17 am UTC

OK, in that case, the following should get you part that road block

1) Get a new password for your auto-login wallet so it is known.

Follow the steps as per this blog to merge the existing auto-login wallet with a new one for which you know the password

https://www.ateam-oracle.com/how-to-reset-tde-wallet-password-when-original-password-is-lost

2) Then you can copy this wallet to your target database, and open that wallet on the target database with your (now known) password.

(I think) then you should be able to restore the database on that target node

Need to Understand

January 13, 2020 - 5:12 pm UTC

Reviewer: LB from O'Fallon, IL

That is very helpful, thank you. Now I'm just trying to understand why this solution works/is needed.

The database being backed up contains TDE Tablespace
Encryption. Is this why it is necessary to recover the wallet/keys or is it because the backup(s) in question used RMAN transparent encryption? Possibly both?

Similarly, if we took a new password (ONLY) or Dual mode RMAN encrypted backup would we still need to recover the wallet/keys in order to restore that backup given the TDE Tablespace Encryption used in the database?

It seems to me that a password encrypted backup would transparently decrypt TDE (like SQL) and then re-encrypt the backup using the method specified. This would be necessary for secure, transportable backups of TDE encrypted tablespaces, Otherwise you would have to merge the same wallet to every instance where the backup might be restored.

Any insight you could provide would appreciated.
Connor McDonald

Followup  

January 20, 2020 - 3:05 am UTC

If a tablespace is already encrypted, then RMAN encryption does not need to any additional processing because data is already encrypted. RMAN encryption will kick into action for data that is not already encrypted.

But to open a TDE tablespace, you need an open wallet. Wherever you place/restore/move that tablespace, you need that wallet.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database