Disaster Recovery

Do I need the Advanced Security Option on-premises for Hybrid Cloud Disaster Recovery?

In the case of hybrid disaster recovery and having an unencrypted database on-premises, you can create the corresponding unencrypted standby database in the cloud using RMAN DUPLICATE or RESTORE from Object Storage.

When you create a new unencrypted tablespace on the on-premises primary database, the standby database in the cloud creates the corresponding unencrypted tablespace via redo.

So everything is fine and you don’t have to worry about ASO. But why are we asking this question??? Well, it is because of the following:

By default, for all database releases, all new tablespaces created in the cloud are encrypted using TDE.

So what happens after a failover or switchover when the cloud database becomes the primary now and you want to create a new tablespace???

For database release 11.2.0.4 or 12.1.0.2, you can change this behavior by setting the parameter ENCRYPT_NEW_TABLESPACES=DDL to create and open unencrypted tablespaces in the cloud. So, you don’t necessarily need ASO. Both primary and standby are unencrypted at any point in time. Even though not recommended from the security point of view.

For database release 12.2.0.1 (with April’17 PSU – 17.3.1 / July 7th) and later releases, creating unencrypted tablespaces in the cloud is not allowed.

This means after a failover or switchover (=while the database in the cloud is the primary), any newly created tablespaces are always encrypted. The on-premises standby database requires the same wallet used in the cloud primary to decrypt the data. Hence you have to get the ASO license for your on-premises database.

Additionally, when the encrypted database in the Cloud is the primary database:

  • All redo logs and archived logs ARE encrypted in all sites.
  • Blocks applied to on-premises standby are decrypted and stored as unencrypted data for version 12.2. For 11.2 or 12.1, on-premises data is stored as encrypted data. Hence ASO is required to decrypt and read the data into the buffer cache.
  • Unencrypted on-premises tablespaces could contain encrypted data.
  • ASO is required for on-premises.

Summary

  • Both sides must be unencrypted, which raises security concerns, or
  • The on-premises database must be licensed with ASO so that it can also be encrypted

Oracle strongly recommends encrypting both on-premises and the cloud databases.

For more details, have a look at Doc ID 2359020.1: Oracle Database Tablespace Encryption Behavior in Oracle Cloud.

Would you like to get notified when the next post is published?