ZDLRA backups -- How do I know if they are Encrypted

The ZDLRA introduced a new feature with release 23.1 that can both encrypt backups (if they are not already encrypted from TDE) and compress the backups . The combing of both encryption and compression with this feature is unique to the ZDLRA.

I talked about this new exciting feature in a blog post on Oracle.com you can find here.

What I am am going to cover in this blog post is how to audit the RMAN catalog on the ZDLRA to validate that your backups are completely RMAN encrypted.

There are two big advantages of ensuring your backups are fully encrypted

1) With the prevalence of data exfiltration, and the advent of new regulations in many industries, full encryption of backups is mandatory

2) When sending a backup to the Oracle cloud (either in OCI or to object storage on ZFS) full encryption is required to protect the backup data.

The question I often get asked with this feature is..

"How do you tell if your backups are encrypted ?"

You can can determine that your backups are encrypted by looking at the RMAN catalog.

The RC_BACKUP_PIECE view contains a column identifying if the backup is encrypted. This column is set to "YES" only when the backup piece is encrypted.

Keep in mind that there multiple types of backups pieces contained in the catalog

Controlfile backups
Spfile backups
Archive log sweeps
Archive log backups from real-time redo
Datafile backups
Virtual Full backups created from incremental backups.

All of these backups except for two are sent from RMAN with "encryption on" and the backup set will marked as encrypted based on the RMAN encryption setting.

The two that are not set by RMAN directly are

Real-time redo backups. Real-time redo backups are identified in the RMAN catalog as encrypted when the destination setting on the protected database has ENCRYPTION=ENABLE set.
Virtual Full backups. Virtual full backups are identified, for each datafile backup set, as encrypted ONLY after a new L0 is taken with RMAN encryption on, and all subsequent L1 backups are encrypted. I know that is a lot of stipulations on identifying the virtual full backup as encrypted. Only when a new FULL encrypted backup is taken, and all future incremental backups are encrypted can the ZDLRA be sure the backup has remained completely encrypted.

Checking the catalog

The script below takes 2 parameters (&db_name, and &days_to_compare) and it will check the RMAN catalog and display the status of the backups, by backup type making it easier to identify any backup pieces that may not be encrypted.

set linesize 170;
set pagesize 100
         ALTER SESSION SET NLS_DATE_FORMAT = 'YYYY-MM-DD hh24:mi:ss';
        define db_name =MYDB
      define days_to_compare = 7

     col backup_count format 99999 heading 'Backup|pieces'
     col encrypted format a10 heading 'Encrypted | Yes or No'
     col compressed format a10 heading 'Compressed | Yes or No'
     col backup_type_known format a40 heading 'Backup piece type'
      col start_time format a25 heading 'Start Time | by Day'
      col backup_size format 999,999.99 heading 'Backup Size | by Day (GB)'


    set pagesize 150
    set linesize 150


    ttitle skip 2 CENTER 'Database backup summary for last &days_to_compare days database: &db_name' SKIP 2


        set feedback off
        set echo off
        set underline =
       set verify off
        set termout off


        spool database_report_&db_name.out
  
  select Encrypted,
       compressed,
       count(1) backup_count,
       backup_type_known
  from
   (
    select case
            when (backup_type = 'L' and handle like '$RSCN%') then 'Archive Log - real-time redo'
            when (backup_type = 'L' and handle not like '$RSCN%') then 'Archive Log - log sweep'
            when (backup_type = 'D' and handle like 'c-%') then 'Controlfile/SPFILE backup'
            when (backup_type = 'D' and incremental_level=0 and handle like 'VB$%') then 'Virtual Full backup'
            when (backup_type = 'I' and incremental_level=1 and handle like 'VB$%') then 'Incremental L1  backup'
            when (backup_type = 'I' and incremental_level=1 and handle not like 'VB$%') then 'Incr. L1   --> Not yet virtualized'
            else backup_type || '   ' || incremental_level || '  ' || media
       end as backup_type_known,
       to_char(START_TIME,'mm/dd/yy hh24:mi:ss') Start_time,
       Encrypted,
       compressed
           from rc_backup_piece_details
           where start_time > sysdate - &days_to_compare and
                 db_name = '&db_name' and
                 (media is null or media like 'Recovery Appliance%')
           order by backup_type_known,encrypted,compressed
    )
   group by encrypted,backup_type_known,compressed;

This provides a nicely formatted output as you can see below.

                                             Database backup summary for last 15 days database: DBSG23AI

Encrypted  Compressed Backup
 Yes or No  Yes or No pieces Backup piece type
========== ========== ====== ========================================
YES        YES            69  Full backup
YES        NO             39 Archive Log - log sweep
NO         YES             1 Incremental L1  backup
YES        NO           3958 Archive Log - real-time redo
YES        YES            67 Incremental L1  backup
NO         YES             3  Full backup
NO         NO              1 Controlfile/SPFILE backup
YES        NO             26 Controlfile/SPFILE backup
YES        NO            221 Incremental L1  backup

In the report you can see that there a few backups that not encrypted, along with some controlfile/spfile backups.

NOTE: In order to run this report, I created a REPORT user in the database on the ZDLRA. A report has enough permissions to create this report.

Bryan's Oracle Blog

Sunday, September 29, 2024