Recently, a client of mine asked me an excellent question about whether they could use AWS as an off-site storage location for their backup media files.
As I may have previously suggested, I have quite a long list of reasons why I think that running important databases from the cloud is a terrible idea, though if a client does really want to pursue this route, I will naturally oblige and make it work as best as I can.
This particular client’s suggestion, however – which, surprisingly, isn’t something that I’d heard made before – was to move at-rest backup media files to Amazon’s S3 storage instead of putting them on tape and shipping them off-site.
I asked around and did some digging but I couldn’t find anyone who was using THE CLOUD(TM) in this manner. Others are migrating their live database to THE CLOUD(TM) – or, at least, attempting to and becoming very frustrated with it – while others have stood up standby databases in AWS as a “DR-of-last-resort”.
Storing RMAN media files on THE CLOUD(TM), obviously, doesn’t require the levels of performance that running a database does. There are still the costs of storage and bandwidth to consider, but these should be significantly easier for the client to predict than for a database.
The key problem is security. If a client has purchased Oracle’s Advanced Security cost option, then the RMAN media files can be encrypted at-rest and moved across to AWS with a high level of confidence that, even if they were stolen, it would be very difficult for a miscreant to unencrypt the files.
Of course, not every client has Advanced Security, meaning they either have to supply their own encryption (probably via the O/S) or, even worse, transfer the media to AWS with no encryption whatsoever.
TrueCrypt used to be the “go-to” tool for encryption via the O/S, but was discontinued a few months ago and should no longer be used. CipherShed appears to be the most promising derivative as it, too, offers on-the-fly-encryption instead of whole-disk encryption, but is currently only available as a preview release.
Has anyone out there used AWS as long-term off-site backup storage for your backup media? If so, which tool did you use to encrypt the files at rest?