Valid For



Use the ENCRYPTTRAIL and NOENCRYPTTRAIL parameters to control whether Oracle GoldenGate encrypts or does not encrypt data that is written to a trail or extract file.

ENCRYPTTRAIL supports the following encryption methods:

  • Master key and wallet method: Generate a one-time AES key for each trail file and uses it to encrypt the contents. Then, the one-time key is encrypted by the master-key and stored in the trail file header.

  • ENCKEYS method: Generate a AES encryption key, store it under a given name in an ENCKEYS file, and configure Oracle GoldenGate to use that key to directly encrypt or decrypt the contents of the trail file.

You can use encryption for local and remote trails by specifying the EXTTRAIL and RMTTRAIL parameters in your Extract parameter file:

ENCRYPTTRAIL and NOENCRYPTTRAIL are trail or file-specific. One affects all subsequent trail or extract file specifications in the parameter file until the other parameter is encountered. The parameter must be placed before the parameter entry for the trail that it will affect.

ENCRYPTTRAIL and NOENCRYPTTRAIL cannot be used when FORMATASCII is used to write data to a file in ASCII format. The trail or file must be written in the default Oracle GoldenGate canonical format.

ENCRYPTTRAIL encrypts the trail data across all data links and within the files themselves. Only the data blocks are encrypted. User tokens are not encrypted.





ENCRYPTTRAIL without options specifies 256-key byte substitution AES256 as the default for all database types except the iSeries, z/OS, and NonStop platforms because Advanced Encryption Standard (AES) encryption is not supported on those platforms.

{AES128 | AES192 | AES256}

Specifies the AES encryption key length to use. This is a symmetric-key encryption standard that is used by governments and other organizations that require a high degree of data security. This option is not supported by the iSeries, z/OS, and NonStop platforms.

For both the master key and wallet method and the ENCKEYS method, you must specify one of the AES ciphers to encrypt the file(s):

  • AES128 has a 128-bit block size with a key size of 128 bits.

  • AES192 has a 128-bit block size with a key size of 192 bits.

  • AES256 has a 128-bit block size with a key size of 256 bits.

To use AES encryption for any database other than Oracle on a 32-bit platform, the path of the lib sub-directory of the Oracle GoldenGate installation directory must be specified as an environment variable before starting any processes. This is not required on 64-bit platforms. Set the path as follows:

  • Linux: Specify the path as an entry to the LD_LIBRARY_PATHvariable. For example:

  • For Solaris: Specify the path as an entry to the SHLIB_PATH variable.

  • For IBMi and AIX: Specify the path as an entry to the LIBPATH variable.

  • For Windows: Add the path to the PATH variable.

You can use the SETENV parameter to set it as a session variable for the process.


Prevents the trail from being encrypted. This is the default.


Example 1   

In the following example, the master key and wallet method is used. The Extract process writes to two trails. The data for the emp table is written to trail /home/ggsora/dirdat/em, which is encrypted with the AES-192 cipher. The data for the stores table is written to trail /home/ggsora/dirdat/st, which is not encrypted.

RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
RMTTRAIL /home/ggsora/dirdat/st
TABLE ops.stores;
Example 2   

As an alternative to the preceding example, you can omit NOENCRYPTTRAIL if you list all non-encrypted trails before the ENCRYPTTRAIL parameter.

RMTTRAIL /home/ggsora/dirdat/st
TABLE ops.stores;
RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
Example 3   

In the following example, the ENCKEYS method is used.

RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
TABLE ops.stores;