- Oracle GoldenGate Security Guide
- Encrypting Data with the ENCKEYS Method
- Setting Up the Data Encryption
C.1 Setting Up the Data Encryption
- Generate an encryption key and store it in the
ENCKEYS
file, see Populating an ENCKEYS File with Encryption Keys. Make certain to copy the finishedENCKEYS
file to the Oracle GoldenGate installation directory on any intermediary systems and all target systems. - In the following parameter files, add the following:
-
To encrypt trail data: In the parameter file of the primary Extract group and the data pump, add an
ENCRYPTTRAIL
parameter before any parameter that specifies a trail or file that you want to be encrypted. Parameters that specify trails or files areEXTTRAIL
,RMTTRAIL
,EXTFILE
, andRMTFILE
. The syntax is one of the following:ENCRYPTTRAIL {AES128 | AES192 | AES256 | BLOWFISH}
ENCRYPTTRAIL AES192, KEYNAME keyname
-
To encrypt data across TCP/IP: In the
RMTHOSTOPTIONS
parameter in the parameter file of the data pump (or the primary Extract, if no pump is being used), add theENCRYPT
option with theKEYWORD
clause. The syntax is one of the following:RMTHOSTOPTIONS
host
, MGRPORTport
, ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAMEkeyname
RMTHOSTOPTIONS ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAME
keyname
Where:
-
RMTHOSTOPTIONS
is used for passive Extract, see Populating an ENCKEYS File with Encryption Keys. -
ENCRYPTTRAIL
without options uses AES 128 as the default for all database types except the DB2 for i, DB2 z/OS, and NonStop platforms, whereBLOWFISH
is the default. -
AES128
encrypts with the AES 128 encryption algorithm. Not supported for iDB2 for i, DB2 z/OS, and NonStop platforms. -
AES192
encrypts with AES 192 encryption algorithm. Not supported for DB2 for i, DB2 z/OS, and NonStop platforms. -
AES256
encrypts with AES 256 encryption algorithm. Not supported for iSeries, z/OS, and NonStop platforms. -
BLOWFISH
uses Blowfish encryption with a 64-bit block size and a variable-length key size from 32-bits to 128-bits. Use AES if supported for the platform. UseBLOWFISH
for backward compatibility with earlier Oracle GoldenGate versions, and for DB2 for I and DB2 z/OS. AES is not supported on those platforms. -
KEYNAME
keyname
specifies the logical look-up name of an encryption key in theENCKEYS
file. Not an option ofENCRYPTTRAIL
.Note:
RMTHOST
is used unless the Extract is in a passive configuration.
-
- If using a static Collector with data encrypted over TCP/IP, append the following parameters in the Collector startup string:
-KEYNAME
keyname
-ENCRYPTalgorithm
The specified key name and algorithm must match those specified with the
KEYNAME
andENCRYPT
options ofRMTHOST
.