Encrypt Database Backups

Customer and business data has increasingly become the target high-tech theft. Protecting sensitive data is important not only inside the enterprise but also as it travels outside the enterprise across networks and to offsite storage on backup media. Oracle provides robust support for encrypting entire database backups. Encryption is the only defense when it comes to protecting business data when it is transported on tape or disk to offsite storage for safekeeping. Oracle provides two solutions for encrypting database backups.

Oracle RMAN

Oracle RMAN can encrypt an entire database backup using one of these three methods:

 Local TDE master encryption key
 Hybrid: Passphrase and local TDE master encryption key

Available since Oracle Database 10g Release 2, Oracle Transparent Data Encryption protects credit card data and other sensitive business information within the database. Oracle RMAN can encrypt the entire database backup using the same master key used by Transparent Data Encryption to encrypt columns and tablespaces.

Passphrases are ideal for customers who are not already encrypting data in the database and simply want their database backup encrypted. It is important to use a complex passphrase made up of characters and numbers to prevent a thief from easily breaking the encryption and reading the clear text data.

Example for 'transparent' encryption [and compression] when the local TDE master encryption key is available:

  RMAN> connect target <ORACLE_SID>/<SYS pwd>
  RMAN> set encryption on;
  RMAN> backup [as compressed backupset] database;

Table 1: Oracle Transparent Data Encryption and Oracle RMAN
RMAN Backup ... Data in the Database ...
not encrypted TDE column encryption TDE tablespace encryption
No RMAN encryption and no RMAN compression Data not compressed and not encrypted Data in encrypted columns remains encrypted Data in encrypted tablespaces remains encrypted
RMAN compression Data compressed Data compressed; encrypted columns are treated as if they were not encrypted Encrypted tablespaces are decrypted, compressed, and re-encrypted; un-encrypted tablespaces are compressed and encrypted (after compression, the content of encrypted and clear text tablespaces cannot be distinguished)
RMAN encryption Data encrypted Data encrypted; double encryption of encrypted columns Encrypted blocks are passed through to the backup unchanged; clear text blocks are encrypted
RMAN encryption and RMAN compression Data compressed first, then encrypted Data compressed first, then encrypted; encrypted columns are treated as if they were not encrypted; double encryption of encrypted columns Encrypted tablespaces are decrypted, compressed, and re-encrypted; un-encrypted tablespaces are compressed and encrypted

Oracle Secure Backup

Oracle Secure Backup (OSB) delivers tape data protection for the Oracle database and file systems in distributed UNIX, Linux, Windows and Network Attached Storage (NAS) environments. Integrated with Oracle Enterprise Manager (EM), Oracle Secure Backup is ideally suited for Oracle customers providing a familiar interface experience protecting the entire Oracle environment to tape. OSB is ideal for customers who backup directly to tape devices and want to encrypt their database backup. For more information, please refer to the Oracle Secure Backup page on OTN.

Security Features

Data Encryption
Virtual Private Database
Database Auditing
Backup Encryption
Export file encryption
Proxy Authentication
Enterprise User Security
Secure Application Roles
Fine Grained Auditing

Discussion Forums

Audit Vault

Customer Successes

Industry leading organizations globally rely on Oracle Database Security Solutions to protect data privacy, address insider threats, and meet regulatory compliance - without changes to their existing applications, saving time and money.
Database Security Customers

Security Options

Oracle Database Vault
Oracle Advanced Security
Oracle Label Security

Related Technologies

Database Firewall
Audit Vault
Data Masking (pdf)
Secure Backup
Oracle Database Lifecycle Management Pack
Identity Management