Overview
This blog explains how to secure an Oracle 19c tablespace using RMAN password-based encryption and demonstrates a complete backup, restore, and recovery cycle. It covers verifying tablespaces and datafiles, taking an encrypted RMAN backup in password-only mode, validating encryption status, simulating datafile loss, and successfully restoring and recovering the encrypted backup.
The procedure is performed without using an Oracle Wallet or TDE, making it practical for environments where wallet management is not implemented. The walkthrough focuses on real operational steps that Oracle DBAs can apply directly in production or disaster recovery scenarios.
STEP 1. CHECK TABLESPACE AND DATAFILE
SQL> select tablespace_name from dba_tablespaces;
TABLESPACE_NAME
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
APPS
TB1
7 rows selected.
SQL> SELECT file_id, file_name, tablespace_name FROM dba_data_files WHERE tablespace_name = ‘TB1’;
FILE_ID FILE_NAME TABLESPACE
2 +DATA1/DEV/DATAFILE/tb1.269.1219088925 TB1
STEP 2. TAKE AN ENCRYPTED BACKUP OF THE TABLESPACE IN PASSWORD MODE ENCRYPTION
*** ( ONLY ) is important – without it, RMAN may use dual mode (password + wallet) instead of pure password mode ****
RMAN> SET ENCRYPTION ON IDENTIFIED BY ‘oracle’ ONLY;
executing command: SET encryption
RMAN> BACKUP TABLESPACE TB1;
Starting backup at 05-DEC-25 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=272 device type=DISK channel ORA_DISK_1: starting full datafile backup set channel ORA_DISK_1: specifying datafile(s) in backup set input datafile file number=00002 name=+DATA1/DEV/DATAFILE/tb1.269.1219088925 channel ORA_DISK_1: starting piece 1 at 05-DEC-25 channel ORA_DISK_1: finished piece 1 at 05-DEC-25 piece handle=/u01/app/oracle/product/19.0.0/dbhome_1/dbs/024ajlks_1_1 tag=TAG20251205T200756 comment=NONE channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01 Finished backup at 05-DEC-25
Starting Control File and SPFILE Autobackup at 05-DEC-25 piece handle=/u01/app/oracle/product/19.0.0/dbhome_1/dbs/c-1581503-20251205-00 comment=NONE Finished Control File and SPFILE Autobackup at 05-DEC-25
STEP 3. VERIFY THAT THE BACKUP HAS BEEN ENCRYPTED
SQL> SELECT PIECES,BS_KEY,BACKUP_TYPE,ENCRYPTED FROM V$BACKUP_SET_DETAILS;
PIECES BS_KEY B ENC
1 2 D YES
1 1 D YES
RMAN> LIST BACKUP;
List of Backup Sets
BS Key Type LV Size Device Type Elapsed Time Completion Time
1 Full 1.05M DISK 00:00:00 05-DEC-25 BP Key: 1 Status: AVAILABLE Compressed: NO Tag: TAG20251205T200756 Piece Name: /u01/app/oracle/product/19.0.0/dbhome_1/dbs/024ajlks_1_1 List of Datafiles in backup set 1 File LV Type Ckp SCN Ckp Time Abs Fuz SCN Sparse Name
2 Full 2603306 05-DEC-25 NO +DATA1/DEV/DATAFILE/tb1.269.1219088925
BS Key Type LV Size Device Type Elapsed Time Completion Time
2 Full 10.20M DISK 00:00:00 05-DEC-25 BP Key: 2 Status: AVAILABLE Compressed: NO Tag: TAG20251205T200758 Piece Name: /u01/app/oracle/product/19.0.0/dbhome_1/dbs/c-1581503-20251205-00 SPFILE Included: Modification time: 05-DEC-25 SPFILE db_unique_name: DEV Control File Included: Ckp SCN: 2603314 Ckp time: 05-DEC-25
STEP 4. SHUTDOWN THE DATABASE
SQL> SHUT IMMEDIATE
Database closed.
Database dismounted.
ORACLE instance shut down.
STEP 4.1 REMOVE THE DATFILE FROM OS LEVEL
ASMCMD> rm -rf TB1.269.1219088925
STEP 5. START THE DATABASE
SQL> startup
ORACLE instance started.
Total System Global Area 1560277408 bytes
Fixed Size 8896928 bytes
Variable Size 385875968 bytes
Database Buffers 1157627904 bytes
Redo Buffers 7876608 bytes
Database mounted.
ORA-01157: cannot identify/lock data file 2 – see DBWR trace file
ORA-01110: data file 2: ‘+DATA1/DEV/DATAFILE/tb1.269.1219088925’
* It will throw the error *
STEP 5.1 MAKE DATAFILE OFFLINE TO REDUCE THE DOWNTIME
RMAN> alter database datafile 2 offline;
using target database control file instead of recovery catalog
Statement processed
SQL> ALTER DATABASE OPEN;
Database altered.
STEP 6. RESTORE THE ENCRYPTED BACKUP AND RECOVER
[oracle@Primary ~]$ rman target /
RMAN> SET DECRYPTION IDENTIFIED BY ‘oracle’;
executing command: SET decryption
using target database control file instead of recovery catalog
RMAN> RESTORE DATAFILE 2;
Starting restore at 05-DEC-25 allocated channel: ORA_DISK_1 channel ORA_DISK_1: SID=278 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore channel ORA_DISK_1: specifying datafile(s) to restore from backup set channel ORA_DISK_1: restoring datafile 00002 to +DATA1/DEV/DATAFILE/tb1.269.1219088925 channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/19.0.0/dbhome_1/dbs/024ajlks_1_1 channel ORA_DISK_1: piece handle=/u01/app/oracle/product/19.0.0/dbhome_1/dbs/024ajlks_1_1 tag=TAG20251205T200756 channel ORA_DISK_1: restored backup piece 1 channel ORA_DISK_1: restore complete, elapsed time: 00:00:01 Finished restore at 05-DEC-25
RMAN> RECOVER DATAFILE 2;
Starting recover at 05-DEC-25 using channel ORA_DISK_1
starting media recovery media recovery complete, elapsed time: 00:00:00
Finished recover at 05-DEC-25
STEP 7. BRING THE DATAFILE ONLINE
SQL> ALTER DATABASE DATAFILE 2 ONLINE;
Database altered.
VERIFY IT’S ONLINE OR NOT
SQL> SELECT file_id, status, file_name FROM dba_data_files WHERE file_id = 2;
FILE_ID STATUS FILE_NAME
2 AVAILABLE +DATA1/DEV/DATAFILE/tb1.269.1219092373
1. Strengthens Database Security
You show how to encrypt RMAN backups using only a password.
This protects backup files even if someone steals them from:
- file system
- NFS / shared storage
- cloud location
- tape backups
Without the password → backup cannot be restored.
This prevents data theft and unauthorized access.
2. No Wallet Required → Simple & Fast
Many organizations don’t use Oracle wallets.
Your method works in any environment because:
– No TDE Wallet
– No Key Management
– Just one strong password
This makes encrypted backups easier for small and mid-sized companies.
What Your Blog Demonstrates
Your blog is a hands-on security guide for Oracle Database 19c administrators.
It teaches how to protect RMAN backups using password-based encryption — and then how to restore and recover that encrypted backup if the datafile is lost.
