ENCRYPTTRAIL | NOENCRYPTTRAIL

Valid For

Extract

Description

Use the ENCRYPTTRAIL and NOENCRYPTTRAIL parameters to control whether Oracle GoldenGate encrypts or does not encrypt data that is written to a trail or extract file.

ENCRYPTTRAIL supports the following encryption methods:

  • Master key and wallet method: Generate a one-time AES key for each trail file and uses it to encrypt the contents. Then, the one-time key is encrypted by the master-key and stored in the trail file header.

  • ENCKEYS method: Generate a AES encryption key, store it under a given name in an ENCKEYS file, and configure Oracle GoldenGate to use that key to directly encrypt or decrypt the contents of the trail file.

See Administering Oracle GoldenGate for Windows and UNIX for more information about these encryption methods. ENCRYPTTRAIL requirements are different for these methods.

You can use encryption for local and remote trails that are specified with the following parameters in an Extract parameter file:

RMTTRAIL

EXTTRAIL

You can use encryption for local and remote extract files that are specified with the following parameters in an Extract parameter file:

RMTFILE

EXTFILE

ENCRYPTTRAIL and NOENCRYPTTRAIL are trail or file-specific. One affects all subsequent trail or extract file specifications in the parameter file until the other parameter is encountered. The parameter must be placed before the parameter entry for the trail that it will affect.

ENCRYPTTRAIL and NOENCRYPTTRAIL cannot be used when FORMATASCII is used to write data to a file in ASCII format. The trail or file must be written in the default Oracle GoldenGate canonical format.

ENCRYPTTRAIL encrypts the trail data across all data links and within the files themselves. Only the data blocks are encrypted. User tokens are not encrypted.

Default

NOENCRYPTTRAIL

Syntax

ENCRYPTTRAIL [{AES128 | AES192 | AES256} [KEYNAME key_name]] | NOENCRYPTTRAIL]
ENCRYPTTRAIL

ENCRYPTTRAIL without options uses AES128 as the default for all database types except the iSeries, z/OS, and NonStop platforms, where BLOWFISH is the default. AES is not supported on those platforms.

{AES128 | AES192 | AES256}

Specifies the Advanced Encryption Standard (AES) encryption key length to use. This is a symmetric-key encryption standard that is used by governments and other organizations that require a high degree of data security. This option is not supported by the iSeries, z/OS, and NonStop platforms.

For both the master key and wallet method and the ENCKEYS method, you must specify one of the AES ciphers to encrypt the file(s):

  • AES128 has a 128-bit block size with a key size of 128 bits.

  • AES192 has a 128-bit block size with a key size of 192 bits.

  • AES256 has a 128-bit block size with a key size of 256 bits.

To use AES encryption for any database other than Oracle on a 32-bit platform, the path of the lib sub-directory of the Oracle GoldenGate installation directory must be specified as an environment variable before starting any processes. This is not required on 64-bit platforms. Set the path as follows:

  • UNIX: Specify the path as an entry to the LD_LIBRARY_PATH or SHLIB_PATH variable. For example:

    setenv LD_LIBRARY_PATH ./lib:$LD_LIBRARY_PATH
    
  • Windows: Add the path to the PATH variable.

You can use the SETENV parameter to set it as a session variable for the process.

KEYNAME key_name

Specifies that the ENCKEYS method of encryption will be used. Not valid for the master key and wallet method. For key_name, specify the logical name of the user-defined encryption key. Oracle GoldenGate uses the key name to look up the actual key in the ENCKEYS lookup file. To use the ENCKEYS method, you must:

  • Generate the encryption key.

  • Store it in an ENCKEYS lookup file.

  • Copy ENCKEYS to every system where encryption or decryption (or both) are performed.

NOENCRYPTTRAIL

Prevents the trail from being encrypted. This is the default.

Examples

Example 1   

In the following example, the master key and wallet method is used. The Extract process writes to two trails. The data for the emp table is written to trail /home/ggsora/dirdat/em, which is encrypted with the AES-192 cipher. The data for the stores table is written to trail /home/ggsora/dirdat/st, which is not encrypted.

ENCRYPTTRAIL AES192
RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
NOENCRYPTTRAIL
RMTTRAIL /home/ggsora/dirdat/st
TABLE ops.stores;
Example 2   

As an alternative to the preceding example, you can omit NOENCRYPTTRAIL if you list all non-encrypted trails before the ENCRYPTTRAIL parameter.

RMTTRAIL /home/ggsora/dirdat/st
TABLE ops.stores;
ENCRYPTTRAIL AES192
RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
Example 3   

In the following example, the ENCKEYS method is used.

ENCRYPTTRAIL AES192, KEYNAME mykey1
RMTTRAIL /home/ggsora/dirdat/em
TABLE hr.emp;
TABLE ops.stores;