1. Oracle GoldenGate Security Guide
  2. Encrypting Data with the ENCKEYS Method
  3. Setting Up the Data Encryption

C.1 Setting Up the Data Encryption

  1. Generate an encryption key and store it in the ENCKEYS file, see Populating an ENCKEYS File with Encryption Keys. Make certain to copy the finished ENCKEYS file to the Oracle GoldenGate installation directory on any intermediary systems and all target systems.
  2. In the following parameter files, add the following:

    • To encrypt trail data: In the parameter file of the primary Extract group and the data pump, add an ENCRYPTTRAIL parameter before any parameter that specifies a trail or file that you want to be encrypted. Parameters that specify trails or files are EXTTRAIL, RMTTRAIL, EXTFILE, and RMTFILE. The syntax is one of the following: 

      ENCRYPTTRAIL {AES128 | AES192 | AES256 | BLOWFISH}  

      ENCRYPTTRAIL AES192, KEYNAME keyname

    • To encrypt data across TCP/IP: In the RMTHOSTOPTIONS parameter in the parameter file of the data pump (or the primary Extract, if no pump is being used), add the ENCRYPT option with the KEYWORD clause. The syntax is one of the following: 

      RMTHOSTOPTIONS host, MGRPORT port, ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAME keyname

      RMTHOSTOPTIONS ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAME keyname

    Where:

    • RMTHOSTOPTIONS is used for passive Extract, see Populating an ENCKEYS File with Encryption Keys.

    • ENCRYPTTRAIL without options uses AES 128 as the default for all database types except the DB2 for i, DB2 z/OS, and NonStop platforms, where BLOWFISH is the default.

    • AES128 encrypts with the AES 128 encryption algorithm. Not supported for iDB2 for i, DB2 z/OS, and NonStop platforms.

    • AES192 encrypts with AES 192 encryption algorithm. Not supported for DB2 for i, DB2 z/OS, and NonStop platforms.

    • AES256 encrypts with AES 256 encryption algorithm. Not supported for iSeries, z/OS, and NonStop platforms.

    • BLOWFISH uses Blowfish encryption with a 64-bit block size and a variable-length key size from 32-bits to 128-bits. Use AES if supported for the platform. Use BLOWFISH for backward compatibility with earlier Oracle GoldenGate versions, and for DB2 for I and DB2 z/OS. AES is not supported on those platforms.

    • KEYNAME keyname specifies the logical look-up name of an encryption key in the ENCKEYS file. Not an option of ENCRYPTTRAIL.

      Note:

      RMTHOST is used unless the Extract is in a passive configuration.
  3. If using a static Collector with data encrypted over TCP/IP, append the following parameters in the Collector startup string:
    -KEYNAME keyname
-ENCRYPT algorithm

    The specified key name and algorithm must match those specified with the KEYNAME and ENCRYPT options of RMTHOST.

Parent topic: Encrypting Data with the ENCKEYS Method