How to Secure Oracle RMAN Backups with Password, Wallet, and Hybrid Encryption

Introduction

Data security, especially for core business databases, is a universal concern; a lost or compromised backup can cause severe reputational and financial damage. In Oracle environments, RMAN is the recommended backup‑restore tool, and it offers three encryption strategies to protect backup sets from unauthorized use.

Test Environment

The author tested on Oracle Database 11g Release 11.2.0.4 (64‑bit). The instance was placed in ARCHIVELOG mode to enable hot backups. SQL> select * from v$version; Output confirms the version.

RMAN Encryption Strategies

RMAN supports three basic encryption methods:

Password‑based encryption : Requires an interactive password during encryption and decryption.

Oracle Wallet encryption : Uses a wallet file to store encryption keys.

Hybrid encryption : Combines password and wallet mechanisms.

The article focuses on the password‑based approach.

Password‑Based Encryption Procedure

First, verify the current encryption settings (default is OFF) and the default algorithm (AES128).

RMAN> show encryption for database;

CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

RMAN> show encryption algorithm;

CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

Enable encryption with a password and the ONLY clause (the ONLY flag is mandatory).

RMAN> set encryption on identified by 'test' only;

After confirming the setting, run a backup. RMAN> backup database plus archivelog; The backup output shows channel allocation, control‑file autobackup, and piece handles.

Listing Backup Sets

RMAN> list backup;

The list displays backup set keys, sizes, device types, and timestamps, confirming that the backup is AVAILABLE.

Restore Attempt and Decryption Error

Shut down the database, mount it, and attempt a restore without first opening the wallet.

SQL> shutdown immediate;

RMAN> startup mount;

RMAN> restore database;

The restore fails with:

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

This demonstrates that a password‑encrypted backup cannot be read until the correct decryption password is supplied.

Decryption and Successful Restore

Provide the password to open the encrypted backup. RMAN> set decryption identified by 'test'; Then repeat the restore. RMAN> restore database; The restore proceeds, restoring each datafile, followed by media recovery and opening the database.

RMAN> recover database;

RMAN> alter database open;

Disabling Encryption

After the operation, turn off encryption for future backups. RMAN> set encryption off; This command disables the encryption setting.

Conclusion

Password‑based RMAN encryption is simple to configure but is rarely used in production because it requires manual password handling for every backup and restore. For robust security, administrators typically prefer wallet‑based or hybrid encryption methods.