Skip to Main Content

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Lonnie.

Asked: January 07, 2020 - 5:56 pm UTC

Last updated: January 20, 2020 - 3:05 am UTC

Version: 12c

Viewed 1000+ times

You Asked

Through attrition our team has lost the password to the Oracle Keystore (Wallet) on our current Oracle 12c database(A). We would like to backup this database and restore it to a new instance(B) which is also 12c. The database(A) contains TDE Tablespace Encryption tablespaces.

Reading here, https://docs.oracle.com/database/121/BRADV/rcmconfa.htm#BRADV89467 it would seem one could do an RMAN backup on (A) using the Password or Dual Mode encryption option and restore this backup to (B) but I cannot find any clear verbiage addressing how TDE Tablespace Encryption is handled in this scenario.

1. Is it possible to restore an RMAN backup from (A) to (B) as described?
2. Are there any other methods that would make it possible to restore a clean backup of (A) to (B) in this scenario?


Thanks!
LB

and Connor said...

You might need to elucidate here, because I'm curious how you're opening the *current* database, let alone a backup

SQL> administer key management create keystore 'c:\oracle\admin\db122\wallet' identified by MySecret;

keystore altered.

SQL> administer key management set keystore open identified by MySecret;

keystore altered.

SQL> alter system set encryption key identified by "MySecret";

System altered.

SQL> create tablespace TDE datafile 'X:\ORACLE\ORADATA\DB122\TDE.DBF' size 100m encryption using 'AES256' default storage(encrypt);

Tablespace created.

SQL> create table scott.enc_emp tablespace tde
  2  as select * from scott.emp;

Table created.

SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.

Total System Global Area 3154116608 bytes
Fixed Size                  8752112 bytes
Variable Size            1073742864 bytes
Database Buffers         2063597568 bytes
Redo Buffers                8024064 bytes
Database mounted.
Database opened.
SQL> select * from scott.enc_emp;
select * from enc_emp
              *
ERROR at line 1:
ORA-28365: wallet is not open




Are you using auto login? You need to let us know more about your setup

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

LB, January 08, 2020 - 2:48 pm UTC

I presume it is auto-login as no credentials are required during startup and RMAN backups appear to run successfully. However, during a restore of (A) to (B) there is an error to the effect of "backup was encrypted and could not be read."
Connor McDonald
January 10, 2020 - 4:17 am UTC

OK, in that case, the following should get you part that road block

1) Get a new password for your auto-login wallet so it is known.

Follow the steps as per this blog to merge the existing auto-login wallet with a new one for which you know the password

https://www.ateam-oracle.com/how-to-reset-tde-wallet-password-when-original-password-is-lost

2) Then you can copy this wallet to your target database, and open that wallet on the target database with your (now known) password.

(I think) then you should be able to restore the database on that target node

Need to Understand

LB, January 13, 2020 - 5:12 pm UTC

That is very helpful, thank you. Now I'm just trying to understand why this solution works/is needed.

The database being backed up contains TDE Tablespace
Encryption. Is this why it is necessary to recover the wallet/keys or is it because the backup(s) in question used RMAN transparent encryption? Possibly both?

Similarly, if we took a new password (ONLY) or Dual mode RMAN encrypted backup would we still need to recover the wallet/keys in order to restore that backup given the TDE Tablespace Encryption used in the database?

It seems to me that a password encrypted backup would transparently decrypt TDE (like SQL) and then re-encrypt the backup using the method specified. This would be necessary for secure, transportable backups of TDE encrypted tablespaces, Otherwise you would have to merge the same wallet to every instance where the backup might be restored.

Any insight you could provide would appreciated.
Connor McDonald
January 20, 2020 - 3:05 am UTC

If a tablespace is already encrypted, then RMAN encryption does not need to any additional processing because data is already encrypted. RMAN encryption will kick into action for data that is not already encrypted.

But to open a TDE tablespace, you need an open wallet. Wherever you place/restore/move that tablespace, you need that wallet.

How to restore TDE encrypted database into non-encrypted database?

Bala, February 24, 2020 - 7:34 am UTC

Hi,

We have a TDE encrypted production database and we want to restore the RMAN backup of the production TDE encrypted database into a non-producttion un-encrypted database.

Scenario:-
1. Database A (production) is TDE enabled with AES256 algorithm.
2. Daily RMAN compressed backup is running daily on the Database A
3. Database B (non-PROD) where NO encryption is applied.
4. Compressed RMAN backup of Database A is applied on to the Database B

Please tell steps to restore the RMAN backup of Database A(with TDE enabled) on to the Database B (with NO TDE).

Thanks Bala

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database