Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Restoring Encrypted DB Instances

To restore an encrypted Oracle DB instance, you can use your existing AWS CloudHSM HA partition group or create a new HA partition group and copy the contents from the original partition group to the new partition group. Please update the SafeNet client on your HSM control instance if you would like to use your existing HA partition group. Then use the restore-db-instance-from-db-snapshot command to restore the DB instance.

To restore the instance, perform the following procedure:

  1. On your AWS CloudHSM control instance, create a new HA partition group as shown in Creating Your High-Availability Partition Group. When you create the new HA partition group, you must specify the same partition password as the original HA partition group. Make a note of the ARN of the new HA partition group, which you will need in the next two steps.

  2. On your AWS CloudHSM control instance, clone the contents of the existing HA partition group to the new HA partition group with the clone-hapg command.

    For Linux, OS X, or Unix:

    Copy to clipboard
    cloudhsm clone-hapg --conf_file ~/cloudhsm.conf \ --src-hapg-arn <src_arn> \ --dest-hapg-arn <dest_arn> \ --client-arn <client_arn> \ --partition-password <partition_password>

    For Windows:

    Copy to clipboard
    cloudhsm clone-hapg --conf_file ~/cloudhsm.conf ^ --src-hapg-arn <src_arn> ^ --dest-hapg-arn <dest_arn> ^ --client-arn <client_arn> ^ --partition-password <partition_password>

    The parameters are as follows:

    <src_arn>

    The identifier of the existing HA partition group.

    <dest_arn>

    The identifier of the new HA partition group created in the previous step.

    <client_arn>

    The identifier of the HSM client.

    <partition_password>

    The password for the member partitions. Both HA partition groups must have the same partition password.

  3. Use the restore-db-instance-from-db-snapshot command to restore the DB instance. In the restore command, pass the ARN of the new HA partition group in the tde-credential-arn parameter, and the partition password for the HA partition group in the tde-credential-password parameter.