Manage master encryption key wallets
Use master encryption keys to encrypt trail files distributed to other GoldenGate deployments. You can then import and export master encryption key wallets to use with other source and target OCI GoldenGate deployments.
Note
This information applies only to Data replication deployments.
This information applies only to Data replication deployments.
If a master key is created in Oracle GoldenGate, then each time GoldenGate creates a trail file, it automatically generates a new encryption key that encrypts the trail contents. The master key encrypts the encryption key.
Before you begin
Ensure that you have the following:
- Access to the Vault service and a Vault createdNote
A virtual private vault is not required. - Added the minimum required policies to for OCI GoldenGate to use the Vault service
- A master encryption key created
in your VaultNote
Only AES, software protected keys, or HSM keys are supported. RSA and ECDSA are not supported.
Add a master key in the deployment console
To add a master key in the GoldenGate deployment console:
- Launch the GoldenGate deployment console from the deployment details page.
- Log in as the GoldenGate admin user.
- After you log in, open the navigation menu, click Configuration, and then click Key Management.
- On the Key Management page, for Master Keys, click Add Master key (plus icon).
A new master key appears in the list.
Export a master encryption key wallet from an OCI GoldenGate deployment
If a master key is added in the source deployment, ensure that you export it and
import it into the target deployment.
To export a master encryption key wallet:
- On the Deployments page, select the deployment from which to export the master encryption key wallet.
- On the deployment details page, under Resources, click Master encryption key actions.
- Click Export.
- In the Export dialog:
- For Name, enter a name for the master encryption key wallet.
- (Optional) Enter a description to help distinguish it from others in the wallet list.
- For Vault in <compartment-name>, select the vault in which to export the master encryption key wallet. Click Change compartment to select a different compartment.
- For Encryption key in <compartment name>, select the appropriate encryption key to use. Click Change compartment to select a different compartment.
- Click Export.
Export a master key encryption wallet from an on premise Oracle GoldenGate instance
If a master key is added to a source (on premise or Marketplace) Oracle
GoldenGate instance, ensure that you base64 encode the
cwallet.sso
and
then copy it into an OCI Vault secret.
To export a master encryption key wallet from an on premise Oracle
GoldenGate instance:
The Secret appears in the Secrets list. You can now import the master encryption key
wallet to the target OCI GoldenGate deployment, and select this
Secret.
Import a master encryption key wallet to a deployment
To import a master encryption key wallet:
- On the Deployments page, select the deployment in which to import the master encryption key wallet.
- On the deployment details page, under Resources, click Master encryption key wallet actions.
- Click Import.
- In the Import dialog:
- Click Import.
Import a master encryption key wallet to an on premise GoldenGate instance
Ensure that you exported the source OCI GoldenGate deployment's master
encryption key wallet.
To import a master encryption key wallet to an on premise GoldenGate
instance:
You can now add and run a Replicat to receive the encrypted Trail file sent from the
source OCI GoldenGate deployment.