1. Command Line Interface Reference for Oracle GoldenGate
  2. Admin Client Command Line Interface Commands
  3. ADD ENCRYPTIONPROFILE

ADD ENCRYPTIONPROFILE

Use ADD ENCRYPTIONPROFILE to add an encryption profile for Oracle Key Vault using Oracle GoldenGate.

An encryption profile is used to retrieve a master key from an external Key Management System (KMS).You can choose between Oracle Key Vault (OKV) and Oracle Cloud Infrastructure Keys Management System (OCIKMS). If there is no explicitly defined encryption profile, then a Local Wallet is used as the default profile.

To know more, see What is an Encryption Profile?.

Syntax

ADD ENCRYPTIONPROFILE encryption-profile-name    
                     | OKV
                      OKVPATH dir-path       
                      [KEYNAMEATTRIBUTE key-name-attribute]       
                      [KEYVERSIONATTRIBUTE key-version-attribute]       
                      MASTERKEY NAME masterkey-name         
                      [VERSION masterkey-version]         
                      [ TTL ttl]  
     
                      | OCIKMS      (  
                       ENDPOINT endpoint
                       TENANCY    tenancy-ocid         
                       USER       user-ocid         
                       APIKEY         api-key         
                       FINGERPRINT fingerprint
                       KEY         key-OCID ) )    
                      [DEFAULT [ YES | NO ]
OKV options:
OKVPATH
Specifies the directory where Oracle Key Vault client is installed.
KEYNAMEATTRIBUTE

Custom attribute used in Oracle Key Vault server to specify the masterkey name

KEYVERSIONATTRIBUTE

Custom attribute used in Oracle Key Vault server to specify the masterkey version.

MASTERKEY [NAME]
Name of the master key. This value must match the key name in the KMS parameter in Oracle GoldenGate and cannot be changed once replication has started.
MASTERKEY [VERSION]
Version of the master key. This must be a numeric value.
OCI KMS
Endpoint

Specify the Cryptographic endpoint of the OCI KMS Vault.

Tenancy

Specify the tenancy OCID.

User

Specify the OCID for the user.

APIKEY

Specify the path to the file containing the OCI API Signing Key. The key is read from this file and sent to Oracle GoldenGate. If you need to change the OCI API KEY at some point, you can use the ALTER ENCRYPTIONPROFILE command.

KEY

Specify the key OCID that belongs to a key stored in your OCI KMS Vault, this is the key used by Oracle GoldenGate for encryption (trail encryption).

Fingerprint

Hash (MD5) of the API signing key.

DEFAULT
Specifies the current encryption profile. If you set DEFAULT YES then the encryption profile is set to be the current encryption profile. If you set DEFAULT NO then the encryption profile is removed. If there is no explicitly defined current encryption profile (you set as DEFAULT NO to the previously current one) then the implicitly default profile is LocalWallet.

Note:

Do not upload keys with duplicate values of KeyName and KeyVersion. At the time of startup, restart, or rollover, Oracle GoldenGate processes retrieve the highest KeyVersion value.

Parent topic: Admin Client Command Line Interface Commands