Redo Encryption Using LOG_ARCHIVE_DEST_n

When enabled, the ENCRYPTION attribute of LOG_ARCHIVE_DEST_n encrypts redo both at rest on the Recovery Appliance and during the network transfer to the appliance. The basic process is as follows:

1. The protected database encrypts the redo in memory, using the private key contained in the Oracle Wallet on the protected database.

2. The protected database transfers the redo to the Recovery Appliance over the network.

   Note:

   If Oracle Net security is also enabled, then the redo is double encrypted during network transfer.

3. The Recovery Appliance writes the encrypted redo to archived redo log files, which exist in encrypted form only on the Recovery Appliance.

In a recovery scenario, RMAN restores and decrypts the encrypted redo log files on the protected database, using the encryption key stored in the Oracle wallet on the protected database host (not on the Recovery Appliance). RMAN never applies encrypted redo log files during media recovery.

See Also:

• My Oracle Support Note Doc ID 1995866.1 (http://support.oracle.com/epmos/faces/DocumentDisplay?id=1995866.1) for versions of Oracle Database that support encrypted redo

• Oracle Data Guard Concepts and Administration to learn about redo encryption using LOG_ARCHIVE_DEST_n