I am going to walk through how to clone a PDB from an encrypted cloud backup.
My environment.
- I have a Multi-tenant database called "TDETEST" containing 3 pluggable databases. TDEPDB1,TDEPDB2 and TDEPDB3
- All of my PDBs are encrypted with TDE.
- I am backing up to the Oracle cloud using the "Database Cloud backup Module" (though you can use the same process regardless of where you are backing up to).
- My backups also use RMAN encryption which means my controlfilebackup and spfile backups are encrypted.
- I am using Oracle Key Vault (OKV) to manage my encryption keys.
- My source database contains 4 encryption keys in a United Encryption wallet. The encryption key for the CDB (1) and a key for each PDB (3).
- I am using the parameters WALLET_ROOT and TDE_CONFIGURATION to manage my TDE settings.
NOTE: OKV is not required to go through this same process. It is possible to use the same process with local wallet files by importing/exporting keys from within the TDE wallet. OKV makes this process much simpler.
Security Concerns.
Since this is an environment leveraging advanced security, I want to be sure that during this process I am following the security philosophy of "least privilege". Because encryption keys are critical to protecting the data I am only going to access the encryption keys that I need, and I am going to change the master on my destination to ensure it is different from my source database.
Clone Process of a PDB to a new CDB
Step #1 - Identify the encryption keys needed
I first need to identify the encryption keys from the source database that I need in order to clone to my new database. The script below (executed against the source database) will give me the ID of the current encryption keys. If you rotate the master key, and you are restoring from a backup prior to a key rotation, you can find the KEY ID for that older backup by filtering on the activation_time.
Now the output I am seeing (for my source database with 3 PDBs) looks like this below. I can identify my master encrypt key for the CDB and the master key for my PDB (TDEPDB1), and add it to the wallet (in OKV) for my cloneDB.
PDB Name TDE Master Encryption Key: MKID Database Name
--------------- ------------------------------------------------------------------------------ ------------------------------
$CDB/tdetest 064B6B6DD1A3F24F7BBF386DAA7940018F tdetest
TDEPDB1 06911C93A8DFF84F58BFA7B77E59285C6F tdetest
TDEPDB2 0631D6ECD792304F23BFB0430B8622EFCF tdetest
TDEPDB3 06F8F1B56701944F77BF61340649D8664D tdetest
Step #2 - Configure wallet
In order to restore my PDB (which is encrypted), I need the encryption keys for both my CDB and this pdb (TDEPDB1) that I identified in the previous step.
In using OKV, the process would be to
- Add my auxiliary database as an endpoint.
- Create a new wallet for the auxiliary database.
- Add the encryption keys for both the CDB and my PDB to the wallet.
- Download the endpoint client install .jar file.
- Create the directory structure and identify the WALLET_ROOT location.
- Install the OKV jar file in WALLET_ROOT/okv
- Create the autologin for OKV in WALLET_ROOT/tde by storing the password as a secret for client 'HSM_PASSWORD'
Using a local wallet file the process would be to
- export encryption keys to a file using the "WITH IDENTIFIER IN" clause filtering on the the encryption keys for the CDB and PDB.
- Create the new wallet local file
- Import the encrypt keys to the local wallet file, and make it autologon.
Step #3 - Create init/spfile
Now we need to create the init file for the auxiliary database.
The init file can be very small and only needs to contain a few entries.
NOTE: I am using WALLET_ROOT and TDE_CONFIGURATION. These need to be configured since my RMAN backup is encrypted. If you are not using OKV, then ensure the WALLET_ROOT is pointing to the newly created local wallet file.
*.db_name='CLONEDB'
*.enable_pluggable_database=true
*.pga_aggregate_target=1567m
*.processes=320
*.sga_target=4700m
*.tde_configuration='KEYSTORE_CONFIGURATION=OKV|FILE'
*.wallet_root='/home/oracle/app/oracle/admin/clonedb/wallet/'
Step #4 - Start up the database nomount
To make sure I going to be able successfully duplicate the database I am going to startup nomount the database.
sql > startup force nomount pfile='$ORACLE_HOME/dbs/initclonedb.ora';
Then I am going to make sure the wallet is automatically open
Type WRL_PARAMETER Status WALLET_TYPE WALLET_OR KEYSTORE FULLY_BAC CON_ID
---------- -------------------------------------------------- ------------------------------ -------------------- --------- -------- --------- ----------
FILE /home/oracle/app/oracle/admin/clonedb/wallet//tde/ OPEN_NO_MASTER_KEY AUTOLOGIN SINGLE NONE UNDEFINED 1
OKV OPEN_UNKNOWN_MASTER_KEY_STATUS OKV SINGLE NONE UNDEFINED 1
And I'm going to verify that the encryption keys are available for the CDB and PDB.
PDB Name TDE Master Encryption Key: MKID Database Name
--------------- ------------------------------------------------------------------------------ ------------------------------
$CDB/tdetest 06911C93A8DFF84F58BFA7B77E59285C6F tdetest
$CDB/tdetest 064B6B6DD1A3F24F7BBF386DAA7940018F tdetest
Step #5 - Duplicate the pluggable database
Next I am going to execute the duplicate database command. Along with changing the location of the datafiles, I am also changing the settings for the WALLET_ROOT and TDE_CONFIGURATION.
rman catalog rmancat/oracle@rmancat auxiliary /
duplicate database tdetest to clonedb pluggable database tdepdb1 spfile
set control_files '/home/oracle/app/oracle/oradata/clonedb/CONTROLFILE/cf3.ctl'
set db_create_file_dest '/home/oracle/app/oracle/oradata/clonedb/'
set DB_FILE_NAME_CONVERT '/home/oracle/app/oracle/oradata/TDETEST','/home/oracle/app/oracle/oradata/clonedb'
set LOG_FILE_NAME_CONVERT '/home/oracle/app/oracle/oradata/TDETEST','/home/oracle/app/oracle/oradata/clonedb'
set wallet_root '/home/oracle/app/oracle/admin/clonedb/wallet/'
set tde_configuration='KEYSTORE_CONFIGURATION=OKV|FILE' ;
Below is the output from executing this.
Step #6 - Rekey my encryption keys
I am going to execute the "SET KEY" to change the master key for my cloned copy.
Below are my keys, I have 2 keys for the CDB and 2 keys for the PDB. I can see that the activation time is showing that my new keys are now active.
PDB Name TDE Master Encryption Key: MKID Database Name activation time
--------------- ---------------------------------------- ------------------------------ -----------------------------------
$CDB/CLONEDB 06FB49082CF3D44FC0BFF085D24B4976FE CLONEDB 12-APR-21 06.21.44.323844 PM +00:00
$CDB/tdetest 064B6B6DD1A3F24F7BBF386DAA7940018F tdetest 06-APR-21 08.58.44.177146 PM +00:00
TDEPDB1 06911C93A8DFF84F58BFA7B77E59285C6F tdetest 06-APR-21 08.59.10.493272 PM +00:00
TDEPDB1 06DF048E03AD1D4F3CBFCEC911312C036B CLONEDB 12-APR-21 06.25.21.614324 PM +00:00
On OKV I added the 2 new keys to the wallet for my CloneDB
That's all there is to cloning a single PDB into a new CDB from Cloud Backup that was encrypted with OKV !