这里讨论的是列加密模式,即具有 tde encrypted column 的表如何在源库、目标库之间通过 expdp 、 impdp 进行传输。前提是源库和目标库上的 encryption wallet 都必须处于 open 状态,如果源库或者目标库有任何一侧的 wallet 没有 open ,都会引起导入或者导
这里讨论的是列加密模式,即具有tde encrypted column的表如何在源库、目标库之间通过expdp、impdp进行传输。前提是源库和目标库上的encryption wallet都必须处于open状态,如果源库或者目标库有任何一侧的wallet没有open,都会引起导入或者导出操作的失败。以下列举了容易引起导入导出失败的一些场景,帮我们更进一步的理解tde的工作过程。
场景1:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态
---源库wallet处于open状态下进行导出
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t13 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t13 values('a','11');
commit;
expdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=exp_t13.log reuse_dumpfiles=yes
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
. . exported scott.t13 5.406 kb 1 rows
ora-39173: encrypted data has been stored unencrypted in dump file set.
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t13.dmp
job scott.sys_export_table_01 completed with 1 error(s) at 16:21:16
scp /oradata01/hisdmp/monthly/t13.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,成功导入
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
processing object type table_export/table/table
processing object type table_export/table/table_data
. . imported scott.t13 5.406 kb 1 rows
job scott.sys_import_table_01 successfully completed at 16:20:47
场景2:导出时源库encryption wallet处于open状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态
---源库wallet处于open状态下进行导出
步骤同场景1
--目标库wallet处于close状态,导入失败
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---ora-28365因wallet close所以无法创建encrypted column
impdp scott/abcd_1234 directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log;
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t13.dmp tables=t13 logfile=imp_t13.log
processing object type table_export/table/table
ora-39083: object type table:scott.t13 failed to create with error:
ora-28365: wallet is not open
failing sql is:
create table scott.t13 (c1 varchar2(1 byte) encrypt using 'aes192' 'sha-1', c2 varchar2(2 byte)) segment creation immediate pctfree 10 pctused 40 initrans 1 maxtrans 255 nocompress logging storage(initial 8388608 next 8388608 minextents 1 maxextents 2147483645 pctincrease 0 freelists 1 freelist groups 1 buffer_pool default flash_cache default cell_flash_cache default) tablespace ts_
processing object type table_export/table/table_data
job scott.sys_import_table_01 completed with 1 error(s) at 16:22:17
场景3:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于open状态
---源库导出时wallet处于close状态
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t14 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t14 values('b','22');
commit;
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---因为wallet处于close,所以无法对表中加密列的数据进行解密,在接下来导入的时候可以看到仅导入了表结构
expdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes;
connected to: oracle database 11g enterprise edition release 11.2.0.3.0 - 64bit production
with the partitioning, olap, data mining and real application testing options
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=exp_t14.log reuse_dumpfiles=yes
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
ora-31693: table data object scott.t14 failed to load/unload and is being skipped due to error:
ora-29913: error in executing odciexttablepopulate callout
ora-28365: wallet is not open
ora-39173: encrypted data has been stored unencrypted in dump file set.
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t14.dmp
job scott.sys_export_table_01 completed with 2 error(s) at 16:31:12
scp /oradata01/hisdmp/monthly/t14.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库导入
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
---导入部分成功,字段维持加密状态
impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
processing object type table_export/table/table
job scott.sys_import_table_01 successfully completed at 16:32:50
select owner,table_name,column_name from dba_encrypted_columns where table_name='t14';
owner table_name column_name
------------------------------ ------------------------------ ------------------------------
scott t14 c1
---但查询无内容,只把表结构导入了进来,没有任何数据
select * from scott.t14
no rows selected
---检查t14表的加密key并和orapki命令输出的相比较,impdp后表encrypted column自动使用了目标库的masterkey进行加密,证明源和目标库上的masterkey无需保持一致
col object_name format a13
col owner format a13
set linesize 120
select obj#,mkeyid,object_name,owner from enc$,dba_objects where object_id=obj#;
obj# mkeyid object_name owner
---------- ---------------------------------------------------------------- ------------- -------------
5553580 azhxajyqj08iv5x80kxwlbqaaaaaaaaaaaaaaaaaaaaaaaaaaaaa t14 scott
orapki wallet display -wallet /oradata06/wallet
requested certificates:
subject: cn=oracle
user certificates:
oracle secret store entries:
oracle.security.db.encryption.azhxajyqj08iv5x80kxwlbqaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
oracle.security.db.encryption.masterkey
oracle.security.ts.encryption.bs8n9qmwrzrpocpy6ajpnzycawaaaaaaaaaaaaaaaaaaaaaaaaaa
trusted certificates:
场景4:导出时源库encryption wallet处于close状态,不对导出的dumpfile文件进行加密;导入时目标库wallet处于close状态
---源库导出时wallet处于close状态
导出步骤同场景3,
---目标库导入
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
drop table scott.t14;
***目标库的encryption wallet close,出现ora-28353在意料之中
impdp scott/abcd_1234 directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t14.dmp tables=t14 logfile=imp_t14.log
processing object type table_export/table/table
ora-39083: object type table:scott.t14 failed to create with error:
ora-28365: wallet is not open
failing sql is:
create table scott.t14 (c1 varchar2(1 byte) encrypt using 'aes192' 'sha-1', c2 varchar2(2 byte)) segment creation immediate pctfree 10 pctused 40 initrans 1 maxtrans 255 nocompress logging storage(initial 8388608 next 8388608 minextents 1 maxextents 2147483645 pctincrease 0 freelists 1 freelist groups 1 buffer_pool default flash_cache default cell_flash_cache default) tablespace ts_
job scott.sys_import_table_01 completed with 1 error(s) at 16:37:21
场景5:导出时源库encryption wallet处于open状态,使用encryption=encrypted_columns_only在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于open状态
---源库导出,wallet处于open状态
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t15 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t15 values('c','33');
commit;
---注意这里只能使用password模式,不能使用transparent和dual模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=encrypted_columns_only encryption_password=tde_1234;
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=exp_t15.log reuse_dumpfiles=yes encryption=encrypted_columns_only encryption_password=********
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
. . exported scott.t15 5.460 kb 1 rows
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t15.dmp
job scott.sys_export_table_01 successfully completed at 17:27:06
scp /oradata01/hisdmp/monthly/t15.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,成功导入
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=********
processing object type table_export/table/table
processing object type table_export/table/table_data
. . imported scott.t15 5.460 kb 1 rows
job scott.sys_import_table_01 successfully completed at 17:28:58
场景6:导出时源库encryption wallet处于open状态,使用encryption=encrypted_columns_only在dumpfile中对加密列以加密方式存储;导入时目标库wallet处于close状态
---源库导出,wallet处于open状态
导出步骤同场景5
---关闭目标库的encryption wallet
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---ora-28365因wallet close所以无法创建encrypted column
impdp scott/abcd_1234 directory=hisdmp dumpfile=t15.dmp tables=t15 logfile=imp_t15.log encryption_password=tde_1234
ora-39002: invalid operation
ora-39180: unable to encrypt encryption_password
ora-28365: wallet is not open
场景7:导出时源库encryption wallet处于close状态,使用encryption=encrypted_columns_only在dumpfile中对加密列以加密方式存储;因导出即失败所以无法继续进行导入
---源库导出,导出时wallet处于close状态
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t16 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t16 values('c','33');
commit;
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---注意这里只能使用password模式,不能使用transparent和dual模式,之所以报错是因为使用password对encrypted column在导出时进行加密之前必须先用masterkey对encrypted列进行解密,对解密的结果再进行加密,而这时wallet close无法获取到masterkey,所以加密过程就无法继续
expdp scott/abcd_1234 directory=hisdmp dumpfile=t16.dmp tables=t16 logfile=exp_t16.log reuse_dumpfiles=yes encryption=encrypted_columns_only encryption_password=tde_1234;
ora-39001: invalid argument value
ora-39180: unable to encrypt encryption_password
ora-28365: wallet is not open
场景8:导出时源库encryption wallet处于open状态,使用encryption=all在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,wallet处于open状态
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t17 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t17 values('c','33');
commit;
---分别使用transparent和password两种模式进行导出
***transparent模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=exp_t17t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
. . exported scott.t17 5.414 kb 1 rows
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t17t.dmp
job scott.sys_export_table_01 successfully completed at 21:00:06
***password模式
expdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=exp_t17p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
. . exported scott.t17 5.414 kb 1 rows
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t17p.dmp
job scott.sys_export_table_01 successfully completed at 21:01:18
scp /oradata01/hisdmp/monthly/t17t.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
scp /oradata01/hisdmp/monthly/t17p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,分别导入transparent、password模式导出的dmp
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
---导入以encryption_mode=transparent方式导出的t17t.dmp,因源、目标库的masterkey不一致发生了ora-28362,进一步导致ora-39189目标库无法解密由源库masterkey加密的dumpfile
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log
ora-39002: invalid operation
ora-39189: unable to decrypt dump file set
ora-28362: master key not found
---导入以encryption_mode=password方式导出的t17p.dmp,导入成功
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=tde_1234
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17p.log encryption_password=********
processing object type table_export/table/table
processing object type table_export/table/table_data
. . imported scott.t17 5.414 kb 1 rows
job scott.sys_import_table_01 successfully completed at 21:03:14
场景9:导出时源库encryption wallet处于open状态,使用encryption=all在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入
--源库导出,wallet处于open状态
导出过程同场景8
--关闭目标库的encryption wallet,再次尝试以上两种导入
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---尝试导入以encryption=transparent方式导出的t17t.dmp,因目标库wallet close无法找到解密dmpfile所需的masterkey,导入失败
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17t.dmp tables=t17 logfile=imp_t17t.log
ora-39002: invalid operation
ora-39189: unable to decrypt dump file set
ora-28365: wallet is not open
---尝试导入以encryption=password方式导出的t17p.dmp,能够解密出dmpfile,但是因目标库wallet close,所以无法创建encrypted columns
impdp scott/abcd_1234 directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=tde_1234
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t17p.dmp tables=t17 logfile=imp_t17t.log encryption_password=********
processing object type table_export/table/table
ora-39083: object type table:scott.t17 failed to create with error:
ora-28365: wallet is not open
failing sql is:
create table scott.t17 (c1 varchar2(1 byte) encrypt using 'aes192' 'sha-1', c2 varchar2(2 byte)) segment creation immediate pctfree 10 pctused 40 initrans 1 maxtrans 255 nocompress logging storage(initial 8388608 next 8388608 minextents 1 maxextents 2147483645 pctincrease 0 freelists 1 freelist groups 1 buffer_pool default flash_cache default cell_flash_cache default) tablespace ts_
processing object type table_export/table/table_data
job scott.sys_import_table_01 completed with 1 error(s) at 21:09:10
场景10:导出时源库encryption wallet处于close状态,使用encryption=all在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于open状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,导出时wallet处于close状态
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
create table t18 (c1 varchar2(1) encrypt,c2 varchar2(2)) tablespace ts_info_dat_01;
insert into t18 values('c','33');
commit;
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---分别使用transparent和password两种模式,前者需要masterkey加密dmpfile,后者需要先用masterkey解密encrypted columns后再用password加密,两者都需要wallet open,但实际wallet处于close状态,所以这两种导出都有问题
--transparent模式导出失败
expdp scott/abcd_1234 directory=hisdmp dumpfile=t18t.dmp tables=t18 logfile=exp_t18t.log reuse_dumpfiles=yes encryption=all encryption_mode=transparent
ora-39002: invalid operation
ora-39188: unable to encrypt dump file set
ora-28365: wallet is not open
--password模式导出,仅导出了表结构,因为无法使用masterkey decrypt加密列
expdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=tde_1234;
starting scott.sys_export_table_01: scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=exp_t18p.log reuse_dumpfiles=yes encryption=all encryption_mode=password encryption_password=********
estimate in progress using blocks method...
processing object type table_export/table/table_data
total estimation using blocks method: 8 mb
processing object type table_export/table/table
ora-31693: table data object scott.t18 failed to load/unload and is being skipped due to error:
ora-29913: error in executing odciexttablepopulate callout
ora-28365: wallet is not open
master table scott.sys_export_table_01 successfully loaded/unloaded
******************************************************************************
dump file set for scott.sys_export_table_01 is:
/oradata01/hisdmp/monthly/t18p.dmp
job scott.sys_export_table_01 completed with 1 error(s) at 21:17:11
scp /oradata01/hisdmp/monthly/t18p.dmp oracle@10.10.141.221:/oradata01/hisdmp/monthly/
---目标库wallet处于open状态,导入encryption_mode=transparent方式导出的t18p.dmp
因该方式下导出dmpfile失败,所以略去
---目标库wallet处于open状态,导入encryption_mode=password方式导出的t18p.dmp
alter system set encryption wallet open identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
open
impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=tde_1234
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18p.log encryption_password=********
processing object type table_export/table/table
job scott.sys_import_table_01 successfully completed at 21:22:05
***检查t18表无内容,仅有表结构,相当于expdp时指定了encryption=metadata_only
sql> select * from scott.t18;
no rows selected
场景11:导出时源库encryption wallet处于close状态,使用encryption=all在dumpfile中对所有列以加密方式存储,又分别以encryption_mode=transparent和password两种模式生成两个dumpfile;导入时目标库wallet处于close状态,并分别对上述两种模式下导出的dumpfile进行导入
---源库导出,导出时wallet处于close状态
导出步骤同场景10
--关闭目标库的encryption wallet,再次尝试以上导入
alter system set encryption wallet close identified by tde_1234;
select * from v$encryption_wallet;
wrl_type
--------------------
wrl_parameter
--------------------------------------------------------------------------------
status
------------------
file
/oradata06/wallet
closed
---尝试导入encryption_mode=transparent方式导出的t18p.dmp
因该方式下导出dmpfile失败,所以略去
---尝试导入以encryption=password方式导出的t18p.dmp,因目标库wallet close,无法创建encrypted columns,导入失败
impdp scott/abcd_1234 directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=tde_1234
master table scott.sys_import_table_01 successfully loaded/unloaded
starting scott.sys_import_table_01: scott/******** directory=hisdmp dumpfile=t18p.dmp tables=t18 logfile=imp_t18t.log encryption_password=********
processing object type table_export/table/table
ora-39083: object type table:scott.t18 failed to create with error:
ora-28365: wallet is not open
failing sql is:
create table scott.t18 (c1 varchar2(1 byte) encrypt using 'aes192' 'sha-1', c2 varchar2(2 byte)) segment creation immediate pctfree 10 pctused 40 initrans 1 maxtrans 255 nocompress logging storage(initial 8388608 next 8388608 minextents 1 maxextents 2147483645 pctincrease 0 freelists 1 freelist groups 1 buffer_pool default flash_cache default cell_flash_cache default) tablespace ts_
job scott.sys_import_table_01 completed with 1 error(s) at 21:24:04
针对实验场景的结果归纳如下:
源库expdp时的encryption wallet状态
能否正常导出加密表
目标库impdp时的encryption wallet状态
expdp参数encryption_mode取值
expdp参数encryption取值
导入结果
open
能
open
无
无
正常
open
能
close
无
无
失败
close
能
open
无
无
仅表结构
close
能
close
无
无
失败
open
能
open
password
encrypted_columns_only
正常
open
能
close
password
encrypted_columns_only
失败
close
否
-
password
encrypted_columns_only
-
open
能
open
transparent
all
失败
open
能
open
password
all
正常
open
能
close
transparent
all
失败
open
能
close
password
all
失败
close
否
-
transparent
all
-
close
能
open
password
all
仅表结构
close
能
close
password
all
失败
总结:
含有加密列的表进行导出、导入时:
1、 源库上执行导出操作时encryption wallet只有处于open状态才能导出完整的内容,如果是close的情况下一般会把表结构导出(但encryption= encrypted_columns_only和encryption_mode=transparent两种情况除外,这两种情况连表结构都不会导出,直接报错退出)
2、目标库执行导入操作时,需要先对dumpfile文件进行解密(如果expdp出来的时候进行了加密),再用自己的masterkey重新对表进行加密,这两个步骤中任意一个有问题都会引起导入失败
3、如果安全上允许建议启用auto login encryption wallet,数据库重启后会自动open