Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RMAN and DataPump Data Encryption Options 1

Status
Not open for further replies.

tekdudedude

Technical User
Sep 29, 2007
79
Hello,

Can anyone offer any ways to encrypt both RMAN backupset files and Data Pump dump files without purchasing the Enterprise Edition?

Our RMAN backups go to disk. The databases that we need this on consist of about 3 terabytes of RMAN\DataPump data.


Thanks,

TD
 
Tek,

this isn't really an Oracle question any more. If you've got the files, then just buy a proprietary encryption package and use it on the relevant ones. Then store safely away, ensuring that you have a back-up of your DEcryption software, otherwise, you could irretrievably lose the whole lot.

Having said that, I can't imagine why you wouldn't just use the built-in Oracle functions and just pay the licence fee. The extra cost and risk of encryption software just isn't worth the hassle. Also you have to remember to use it every time a back-up is made, whereas RMAN can do it automatically.

Regards

T
 
thargtheslayer,

Thanks for your feedback. I think you are right on target.

I agree with you concerning the E.E.. Some employers do not know how to count the value of I.T. investments. They ONLY see the hit. They are quick to favor any solution that is "soft" dollars based, i.e. countless hours creating custom solutions, rather than making sound decisions based on ROI.

TD
 
I can feel a rant coming on. Do you want some "useful ammunition" to justify the purchase, along the lines of all the things managers forget to take into account when costing such things?

Regards

T
 
>> Do you want some "useful ammunition" to justify the purchase, along the lines of all the things managers forget to take into account when costing such things?

Yes! :)
 
ok,

the main problem is that managers do not factor in the revenue costs of hidden complexity and risk which arise.

If enterprise licences add £5,000 to the revenue cost, and an encryption licence adds £1,000, the dumb manager will go for the third party tool, on the erroneous assumption that it will save £4,000.

First, Only Oracle's built-in encryption can maintain a tablespace in encrypted format, whilst it is being used. A third-party tool can only encrypt a copy which was taken at some point in the past. It can also encrypt RMAN backup files, but again, only once they're frozen.

This means that your running db is unencrypted, even if your back-up pieces are. Built-in encryption allows (I believe) to only encrypt particular tables or columns, so fine-grained control is possible. None of these facilities can be achieved otherwise. Also, since such tools usually only work on OS files, you can't use ASM or OMF, as their activities would torpedo any such software. You've paid for ASM and OMF, so now you'll pay more for software which will prevent their use - only a manager could come up with such a notion. There may be other 'gotchas' lurking in the undergrowth, but I think the point is already made.

As to cost, if a third-party tool is used, it must be verified that it correctly interoperates with every version of Oracle, and every db you have in use, otherwise it is useless.

The users must remember to use it all the time on back-ups, or write software to do so, which costs time and money, requires documentation, and must be maintained and managed indefinitely, which costs even more money.

The software must interoperate with all versions of your RMAN backups, for the reasons mentioned above, and must be similarly maintained.

If any new version of Oracle is deployed, the whole thing has to be checked and verified for correct operation, yet again.

In short, the company is signing up to a massive maintenance, verification, testing and documentation exercise which lasts indefinitely.

If you use Oracle, then Oracle corporation guarantees backwards compatibility (otherwise it would go out of business). It guarantees interoperability with RMAN (so you can script this, just like everything else) and Oracle corporation does all the maintenance, bug fixing, patching and documentation required.

Also, there is the unquantifiable but significant risk of the third party software irretrievably scrambling a crucial tablespace. This could cost millions, and if it did, your company would be in deep trouble. If this happened as a result of Oracle software, you could sue Oracle for those millions (as they have deep pockets and certify their software). A small third-party company might not be worth pursuing. In any event, such a foul-up would undoubtedly constitute a priority 1 request, and Oracle would likely respond.

I really despair when managers think that there's nothing more to it than adding numbers up in a spreadsheet. This ignores management effort, risk, hidden complexity (which increases the likelihood of failure) and the burden of maintaining such software indefinitely.

Regards

T
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top