8 Encrypting Data with the Master Key and Wallet Method

To use this method of data encryption, you create a master key wallet and add a master key to the wallet. This method works as follows, depending on whether the data is encrypted in the trails or across TCP/IP:

  • Each time Oracle GoldenGate creates a trail file, it generates a new encryption key automatically. This encryption key encrypts the trail contents. The master key encrypts the encryption key. This process of encrypting encryption keys is known as key wrap and is described in standard ANS X9.102 from American Standards Committee.

  • To encrypt data across the network, Oracle GoldenGate generates a session key using a cryptographic function based on the master key.

Oracle GoldenGate uses an auto-login wallet (file extension .sso), meaning that it is an obfuscated container that does not require human intervention to supply the necessary passwords.

Encrypting data with a master key and wallet is not supported on the DB2 for i, DB2 z/OS, or NonStop platforms.


8.1 Creating the Wallet and Adding a Master Key

The wallet is created in a platform-independent format. The wallet can be stored on a shared file system that is accessible by all systems in the Oracle GoldenGate environment. Alternatively, you can use an identical wallet on each system in the Oracle GoldenGate environment. If you use a wallet on each system, you must create the wallet on one system, typically the source system, and then copy it to all of the other systems in the Oracle GoldenGate environment. This must also be done every time you add, change, or delete a master key.

This procedure creates the wallet on the source system and then guides you through copying it to the other systems in the Oracle GoldenGate environment.

  1. (Optional) To store the wallet in a location other than the dirwlt subdirectory of the Oracle GoldenGate installation directory, specify the desired location with the WALLETLOCATION parameter in the GLOBALS file.
    WALLETLOCATION directory_path
  2. Create a master-key wallet with the CREATE WALLET command in GGSCI.
  3. Open the wallet after it has been created with the OPEN WALLET command i.
  4. Add a master key to the wallet with the ADD MASTERKEY command.
  5. Issue the INFO MASTERKEY command to confirm that the key you added is the current version. In a new installation, the version should be 1.
  6. Issue the INFO MASTERKEY command with the VERSION option, where the version is the current version number. Record the version number and the AES hash value of that version.
  7. Copy the wallet to all of the other Oracle GoldenGate systems.
  8. Issue the INFO MASTERKEY command with the VERSION option on each system to which you copied the wallet, where the version is the version number that you recorded. For each wallet, make certain the Status is Current and compare the AES hash value with the one that you originally recorded. All wallets must show identical key versions and hash values.

8.2 Specifying Encryption Parameters in the Parameter File

This procedure adds the parameters that are required to support data encryption in the trails and across the network with the master key and wallet method.

  1. In the following parameter files, add the following:
    • To encrypt trail data: In the parameter file of the primary Extract group and the data pump, add an ENCRYPTTRAIL parameter statement before any parameter that specifies a trail or file that you want to be encrypted. Parameters that specify trails or files are EXTTRAIL, RMTTRAIL, EXTFILE, and RMTFILE. The syntax is:

    • To encrypt data across TCP/IP: In the parameter file of the data pump (or the primary Extract, if no pump is being used), use the ENCRYPT option of the RMTHOSTOPTIONS parameter. The syntax is:



    • RMTHOSTOPTIONS is used for Extract including passive extracts. See Using Target System Connection Initiation for more information about passive Extract.

    • ENCRYPTTRAIL without options specifies 256-key byte substitution. This format is not secure and should not be used in a production environment. Use only for backward compatibility with earlier Oracle GoldenGate versions.

    • AES128 encrypts with the AES-128 encryption algorithm.

    • AES192 encrypts with AES-192 encryption algorithm.

    • AES256 encrypts with AES-256 encryption algorithm.

    • BLOWFISH uses Blowfish encryption with a 64-bit block size and a variable-length key size from 32 bits to 128 bits. Use AES if supported for the platform. Use BLOWFISH for backward compatibility with earlier Oracle GoldenGate versions, and for DB2 z/OS and DB2 for i. AES is not supported on those platforms.

  2. Use the DECRYPTTRAIL parameter for a data pump if you want trail data to be decrypted before it is written to the output trail. Otherwise, the data pump automatically decrypts it, if processing is required, and then reencrypts it before writing to the output trail. (Replicat decrypts the data automatically without any parameter input.)


You can explicitly decrypt incoming trail data and then re-encrypt it again for any output trails or files. First, enter DECRYPTTRAIL to decrypt the data, and then enter ENCRYPTTRAIL and its output trail specifications. DECRYPTTRAIL must precede ENCRYPTTRAIL. Explicit decryption and re-encryption enables you to vary the AES algorithm from trail to trail, if desired. For example, you can use AES 128 to encrypt a local trail and AES 256 to encrypt a remote trail. Alternatively, you can use the master key and wallet method to encrypt from one process to a second process, and then use the ENCKEYS method to encrypt from the second process to the third process.

8.3 Renewing the Master Key

This procedure renews the master encryption key in the encryption-key wallet. Renewing the master key creates a new version of the key. Its name remains the same, but the bit ordering changes. As part of your security policy, you should renew the current master key regularly so that it does not get stale.

All renewed versions of a master key remain in the wallet until they are marked for deletion with the DELETE MASTERKEY command and then the wallet is purged with the PURGE WALLET command, see Deleting Stale Master Keys.

Unless the wallet is maintained centrally on shared storage (as a shared wallet), the updated wallet must be copied to all of the other systems in the Oracle GoldenGate configuration that use that wallet. To do so, the Oracle GoldenGate must be stopped. This procedure includes steps for performing those tasks in the correct order.

  1. Stop Extract.
    STOP EXTRACT group
  2. On the target systems, issue the following command for each Replicat until it returns At EOF.
  3. On the source system, stop the data pumps.
    STOP EXTRACT group
  4. On the target systems, stop the Replicat groups.
  5. On the source system, issue the following command to open the wallet.
  6. On the source system, issue the following command to confirm the version of the current key. Make a record of the version.
  7. On the source system, issue the following command to renew the master key.
  8. On the source system, issue the following command to confirm that a new version is current.


    If you are using a shared wallet, go to step 12. If you are using a wallet on each system, continue to the next step.

  9. On the source system, issue the following command, where version is the new version of the master key. Make a record of the hash value.
  10. Copy the updated wallet from the source system to the same location as the old wallet on all of the target systems.
  11. On each target, issue the following command, where version is the new version number of the master key. For each wallet, make certain the Status is Current and compare the new hash value with the one that you originally recorded. All wallets must show identical key versions and hash values.
  12. Restart Extract.
  13. Restart the data pumps.
  14. Restart Replicat.

8.4 Deleting Stale Master Keys

This procedure deletes stale versions of the master key. Deleting stale keys should be part of the overall policy for maintaining a secure Oracle GoldenGate wallet. It is recommended that you develop a policy for how many versions of a key you want to keep in the wallet and how long you want to keep them.


For Oracle GoldenGate deployments using a shared wallet, the older versions of the master key should be retained after the master key is renewed until all processes are using the newest version. The time to wait depends on the topology, latency, and data load of the deployment. A minimum wait of 24 hours is a conservative estimate, but you may need to perform testing to determine how long it takes for all processes to start using a new key. To determine whether all of the processes are using the newest version, view the report file of each Extract immediately after renewing the master key to confirm the last SCN that was mined with the old key. Then, monitor the Replicat report files to verify that this SCN was applied by all Replicat groups. At this point, you can delete the older versions of the master key.

If the wallet is on central storage that is accessible by all Oracle GoldenGate installations that use that wallet, you need only perform these steps once to the shared wallet. You do not need to stop the Oracle GoldenGate processes.

If the wallet is not on central storage (meaning there is a copy on each Oracle GoldenGate system) you can do one of the following:

  • If you can stop the Oracle GoldenGate processes, you only need to perform the steps to change the wallet once and then copy the updated wallet to the other systems before restarting the Oracle GoldenGate processes.

  • If you cannot stop the Oracle GoldenGate processes, you must perform the steps to change the wallet on each system, making certain to perform them exactly the same way on each one.

    These steps include prompts for both scenarios.

  1. On the source system, issue the following command to determine the versions of the master key that you want to delete. Typically, the oldest versions should be the ones deleted. Make a record of these versions.
  2. On the source system, issue the following command to open the wallet.
  3. Issue the following command to delete the stale master keys. Options are available to delete a specific version, a range of versions, or all versions including the current one. To delete all of the versions, transaction activity and the Oracle GoldenGate processes must be stopped.
    DELETE MASTERKEY {VERSION version | RANGE FROM begin_value TO end_value}


    DELETE MASTERKEY marks the key versions for deletion but does not actually delete them.

  4. Review the messages returned by the DELETE MASTERKEY command to ensure that the correct versions were marked for deletion. To unmark any version that was marked erroneously, use the UNDELETE MASTERKEY VERSION version command before proceeding with these steps. If desired, you can confirm the marked deletions with the INFO MASTERKEY command.
  5. When you are satisfied that the correct versions are marked for deletion, issue the following command to purge them from the wallet. This is a permanent deletion and cannot be undone.

    Next steps:

    • If the wallet resides on shared storage, you are done with these steps.

    • If there is a wallet on each system and you cannot stop the Oracle GoldenGate processes, repeat the preceding steps on each Oracle GoldenGate system.

    • If there is a wallet on each system and you can stop the Oracle GoldenGate processes, continue with these steps to stop the processes and copy the wallet to the other systems in the correct order.

  6. Stop Extract.
    STOP EXTRACT group
  7. In GGSCI, issue the following command for each data pump Extract until each returns At EOF, indicating that all of the data in the local trail has been processed.
  8. Stop the data pumps.
    STOP EXTRACT group
  9. On the target systems, issue the following command for each Replicat until it returns At EOF.
  10. Stop the Replicat groups.
  11. Copy the updated wallet from the source system to the same location as the old wallet on all of the target systems.
  12. Restart Extract.
  13. Restart the data pumps.
  14. Restart Replicat.