7.2.1 What is an Encryption Profile?

An encryption profile is the configuration information that is used to retrieve a masterkey from a KMS. This includes all the information necessary to connect and authenticate to the KMS server, together with all the details necessary to retrieve a particular masterkey that will be used for encryption and decryption.

Any Key Management Service uses an authentication token to access their APIs. Oracle GoldenGate Microservices Architecture stores this access token as a credential. This credential is created using the encryption profile in Microservices Architecture. Encryption profile configuration only available with Microservices Architecture. For Classic Architecture, see Managing Encryption Using a Key Management Service in Oracle GoldenGate Classic Architecture.

An encryption profile is used by the writer and reader clients. A writer client encrypts information, while a reader client decrypts information. In the Microservices Architecture, this is defined by the following roles assigned to each component:

• Extract: Writer client.

• Replicat: Reader client.

• Distribution Server Path: Writer and Reader client.

• LogDump: Reader client.

The clients use the encryption profile that you choose when setting up the encryption MA. The Distribution Server has both the roles of a writer and a reader and only one encryption profile is used. However, if a Distribution Server is operating in PASSTHRU mode then it does not require any encryption profile. Decryption is only needed when column filtering is used. You can create different encryption profiles and all the clients can access the required encryption profile. Clients access their associated encryption profile whenever they need it. A reader will access the encryption profile every time a new trail is being read. The TTL parameter is used to keep the key on memory until time to live (TTL) has been reached.

In MA, each Extract and Replicat process is associated with an encryption profile. The default encryption profile is Local Wallet if you haven't specified any other encryption profile as the default.

Already created Extracts, Replicats and Distribution Paths use their associated encryption profile and not a newly created one. Only processes created after the default encryption profile has been changed, will use the newly created encryption profile. So, the Local Wallet profile is not used if you specify any other encryption profile for the Extract, Replicat, and Distribution path processes.

A distribution path will use the encryption profile when:

1. the source trail is not encrypted and you have specified the algorithm property in the encryption object:

   "target": {
               "details": {
                   "encryption": {
                       "algorithm": "AES256"
                   }
               },
               "uri": "ogg://localhost:13101/services/v2/targets?trail=b4"
           }

2. The source trail is encrypted and there is a defined filter of type COLUMNVALUES.

The Administration Server in microservices allows you to manage your encryption profiles. You cannot modify an encryption profile. If you need to change it, you must delete and add a new profile using the Administration Server.