Home » RDBMS Server » Backup & Recovery » Restoring Unencrypted Backups to a TDE Encrypted Database?
Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659649] Wed, 25 January 2017 13:42 Go to next message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
We are researching Oracle TDE and have a few questions/concerns regarding the implications of encrypting existing databases. Most of the documentation I've found only applies to encrypting new databases, or contains minimal info about migrating existing data. Most prominently:

If we have a unencrypted database that is currently being backed up in that unencrypted state, and we implement TDE (Transparent Data Encryption), migrating ALL data to encrypted tablespaces, does that then render all of our previous backups useless?

(ie. Can you restore a previously existing unencrypted backup to a newly encrypted database?)

If not, then there's a huge risk implementing encryption, since you lose the ability to restore to a date prior to the day you encrypted your tablespaces.

Any info would be appreciated. Thanks!
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659650 is a reply to message #659649] Wed, 25 January 2017 14:49 Go to previous messageGo to next message
BlackSwan
Messages: 26766
Registered: January 2009
Location: SoCal
Senior Member
Welcome to this forum

Please read and follow the forum guidelines, to enable us to help you:
OraFAQ Forum Guide
How to use {code} tags and make your code easier to read

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659652 is a reply to message #659649] Thu, 26 January 2017 01:25 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
You have not given much detail (not even your Oracle release) but I shall assume that you are talking about transparent tablespace encryption (there is no such tings as "database encryption"). When you implemented this, you will have moved or copied your objects into new, encrypted, tablespaces and dropped the old tablespaces. There is no reason why you cannot restore your old, unencrypted, tablespaces using point-in-time recovery.
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659659 is a reply to message #659652] Thu, 26 January 2017 09:07 Go to previous messageGo to next message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
It was kind of a generic question for planning purposes, not a specific issue that I'm trying to troubleshoot.

It's my understanding that the backup/recovery of TDE via RMAN works the same regardless of version, but we're mostly still on 11.2.0.3. We will be moving to a yet-to-be-determined version of 12c later on.

And yes, I am talking about tablespace encryption.

Maybe it would help if I posed a hypothetical scenario:

• We take a backup today, January 26th, via RMAN with unencrypted tablespaces.

• We implement tablespace encryption on February 2nd. (ie. exporting the data, dropping the tablespaces, creating new encrypted tablespaces with the same name, we re-import the data)

Now, let's say a developer comes to us and wants us to restore the database to January 26th. Can we simply restore via RMAN to that date? Or do we have to get into a more complex restore scenario?

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659660 is a reply to message #659659] Thu, 26 January 2017 10:11 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
The wallet management is different between 11.x and 12.x.

It seems straightforward to me. If you back up without encrypting the backup, you don't need the wallet to restore. If you use TDE to encrypt your backup, you need the wallet to restore. I usually use dual mode encryption, so that I can restore with a password if the wallet is not available, which is usually the case if restoring on a different machine.

Are you confusing encrypted tablespaces with encrypted backups?


Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659668 is a reply to message #659660] Thu, 26 January 2017 12:24 Go to previous messageGo to next message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
I understand there are wallet/keystore differences between 11 and 12.

I'm only talking about encrypting tablespaces right now. It's my understanding that the data will remain encrypted through the backupsets even if RMAN encryption is not turned on.

" Since the data is stored encrypted, all downstream components, such as backup and archived logs, also have the encrypted format. "

(ref: http://www.oracle.com/technetwork/issue-archive/2005/05-sep/o55security-100471.html )


My question is simply can you use RMAN to restore a backup from before TDE (when the tablespaces were not encrypted) to a database that now has the tablespaces encrypted?
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659670 is a reply to message #659668] Thu, 26 January 2017 12:30 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Once again, you need to check your version. Arup Nanda eleven years ago was describing transparent column encryption in release 10.

[Updated on: Thu, 26 January 2017 12:31]

Report message to a moderator

Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659671 is a reply to message #659670] Thu, 26 January 2017 12:35 Go to previous messageGo to next message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
Version is 11.2.0.3
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659672 is a reply to message #659671] Thu, 26 January 2017 12:46 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
So what relevance does Arup's article have? Zero. If you don't trust me (no reason why you should) you'll need to read up on Transparent Tablespace Encryption in the Advanced Security Guide and encrypting backups in the B&R Guide. Concentrate on when the encryption/decryption occurs: in the path to and from disc. Not in the SGA, not in the PGA. That should make it clear.
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659673 is a reply to message #659672] Thu, 26 January 2017 13:31 Go to previous messageGo to next message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
I've read the documentation. This scenario is not covered. If it was, I wouldn't be asking. That's what forums are for. You could just answer the question, instead of nitpicking at semantics.
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659674 is a reply to message #659673] Thu, 26 January 2017 13:36 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
You must be one of the rudest people I have come across here. Not one "thank you for your time" so far.

However, I shall try one more time. Transparent Tablespace Encryption encrypts tablespaces. A tablespace is satafiles on disc. When RMAN, or anything else, reads those files, they are decrypted. Transparently. OK so far? Your backups are not encrypted, unless you choose to encrypt them.

Of course, understanding architecture is only "nitpicking". Perhaps you need to pick a few nits yourself.

Goodbye.
Re: Restoring Unencrypted Backups to a TDE Encrypted Database? [message #659675 is a reply to message #659674] Thu, 26 January 2017 13:51 Go to previous message
akoszuta
Messages: 6
Registered: January 2017
Junior Member
It's funny you say that, because I've never been called "rude" in a professional setting before, but I'm also not gonna sit here and get dicked around. I'd thank you for your time if you weren't wasting mine.

I don't need you to prove how exceedingly smart you are, but apparently you do. I just needed a simple answer to a simple question.

It must be hard going through life with such a fragile ego. Enjoy your little forum. Bye.

Previous Topic: Transport tablespace with Oracle Standard Edition
Next Topic: incremental 0/1 and full backup status
Goto Forum:
  


Current Time: Fri Mar 29 06:58:46 CDT 2024