1. Securing the Oracle GoldenGate Environment
  2. Securing Oracle GoldenGate
  3. Encrypting Data with the ENCKEYS Method

9 Encrypting Data with the ENCKEYS Method

To use this method of data encryption, you configure Oracle GoldenGate to generate an encryption key and store the key in a local ENCKEYS file.

This method makes use of a permanent key that can only be changed by regenerating the algorithm, see Populating an ENCKEYS File with Encryption Keys.

The ENCKEYS file must be secured through the normal method of assigning file permissions in the operating system.

This procedure generates an AES encryption key and provides instructions for storing it in the ENCKEYS file.

Topics:

Parent topic: Securing Oracle GoldenGate

Encrypting the Data with the ENCKEYS Method

  1. Generate an encryption key and store it in the ENCKEYS file, see Populating an ENCKEYS File with Encryption Keys. Make certain to copy the finished ENCKEYS file to the Oracle GoldenGate installation directory on any intermediary systems and all target systems.
  2. In the following parameter files, add the following:

    • To encrypt trail data: In the parameter file of the primary Extract group and the data pump, add an ENCRYPTTRAIL parameter before any parameter that specifies a trail or file that you want to be encrypted. Parameters that specify trails or files are EXTTRAIL, RMTTRAIL, EXTFILE, and RMTFILE. The syntax is one of the following: 

      ENCRYPTTRAIL {AES128 | AES192 | AES256 | BLOWFISH}  

      ENCRYPTTRAIL AES192, KEYNAME keyname

    • To encrypt data across TCP/IP: In the RMTHOSTOPTIONS parameter in the parameter file of the data pump (or the primary Extract, if no pump is being used), add the ENCRYPT option with the KEYWORD clause. The syntax is one of the following: 

      RMTHOSTOPTIONS host, MGRPORT port, ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAME keyname

      RMTHOSTOPTIONS ENCRYPT {AES128 | AES192 | AES256 | BLOWFISH} KEYNAME keyname

    Where:

    • RMTHOSTOPTIONS is used for passive Extract, see Populating an ENCKEYS File with Encryption Keys.

    • ENCRYPTTRAIL without options uses AES128 as the default for all database types except the iSeries, z/OS, and NonStop platforms, where BLOWFISH is the default.

    • AES128 encrypts with the AES-128 encryption algorithm. Not supported for iSeries, z/OS, and NonStop platforms.

    • AES192 encrypts with AES-192 encryption algorithm. Not supported for iSeries, z/OS, and NonStop platforms.

    • AES256 encrypts with AES-256 encryption algorithm. Not supported for iSeries, z/OS, and NonStop platforms.

    • BLOWFISH uses Blowfish encryption with a 64-bit block size and a variable-length key size from 32 bits to 128 bits. Use AES if supported for the platform. Use BLOWFISH for backward compatibility with earlier Oracle GoldenGate versions, and for DB2 z/OS and DB2 for i. AES is not supported on those platforms.

    • KEYNAME keyname specifies the logical look-up name of an encryption key in the ENCKEYS file. Not an option of ENCRYPTTRAIL.

      Note:

      RMTHOST is used unless the Extract is in a passive configuration.

  3. If using a static Collector with data encrypted over TCP/IP, append the following parameters in the Collector startup string:
    -KEYNAME keyname
-ENCRYPT algorithm

    The specified key name and algorithm must match those specified with the KEYNAME and ENCRYPT options of RMTHOST.

Parent topic: Encrypting Data with the ENCKEYS Method

Decrypting the Data with the ENCKEYS Method

Data that is encrypted over TCP/IP connections is decrypted automatically at the destination before it is written to a trail, unless trail encryption also is specified.

Data that is encrypted in the trail remains encrypted unless the DECRYPTTRAIL parameter is used. DECRYPTTRAIL is required by Replicat before it can apply encrypted data to the target. A data pump passes encrypted data untouched to the output trail, unless the DECRYPTTRAIL and ENCRYPTTRAIL parameters are used. If the data pump must perform work on the data, decrypt and encrypt the data as follows.

To Decrypt Data for Processing by a Data Pump

Add the DECRYPTTRAIL parameter to the parameter file of the data pump. The decryption algorithm and key must match the ones that were used to encrypt the trail, see Encrypting the Data with the ENCKEYS Method. 

DECRYPTTRAIL {AES128 | AES192 | AES256 | BLOWFISH}

To Encrypt Data After Processing by a Data Pump

To encrypt data before the data pump writes it to an output trail or file, use the ENCRYPTTRAIL parameter before the parameters that specify those trails or files. Parameters that specify trails or files are EXTTRAIL, RMTTRAIL, EXTFILE, and RMTFILE. The ENCRYPTTRAIL parameter and the trail or file specifications must occur after the DECRYPTTRAIL parameter.

Note:

The algorithm specified with ENCRYPTTRAIL can vary from trail to trail. For example, you can use AES 128 to encrypt a local trail and AES 256 to encrypt a remote trail.

To Decrypt Data for Processing by Replicat

If a trail that Replicat reads is encrypted, add a DECRYPTTRAIL parameter statement to the Replicat parameter file. The decryption algorithm and key must match the ones that were used to encrypt the trail.

Parent topic: Encrypting Data with the ENCKEYS Method

Examples of Data Encryption using the ENCKEYS Method

The following example shows how to turn encryption on and off for different trails or files. In this example, Extract writes to two local trails, only one of which must be encrypted.

In the Extract configuration, trail bb is the non-encrypted trail, so its EXTTRAIL parameter is placed before the ENCRYPTTRAIL parameter that encrypts trail aa. Alternatively, you can use the NOENCRYPTTRAIL parameter before the EXTTRAIL parameter that specifies trail bb and then use the ENCRYPTTRAIL parameter before the EXTTRAIL parameter that specifies trail aa.

Description of oggse_pb_002a.png follows
Description of the illustration oggse_pb_002a.png

In this example, the encrypted data must be decrypted so that data pump 1pump can perform work on it. Therefore, the DECRYPTTRAIL parameter is used in the parameter file of the data pump. To re-encrypt the data for output, the ENCRYPTTRAIL parameter must be used after DECRYPTTRAIL but before the output trail specification(s). If the data pump did not have to perform work on the data, the DECRYPTTRAIL and ENCRYPTTRAIL parameters could have been omitted to retain encryption all the way to Replicat.

Example 9-1 Extract Parameter File

EXTRACT capt
USERIDALIAS ogg
DISCARDFILE /ogg/capt.dsc, PURGE
-- Do not encrypt this trail.
EXTTRAIL /ogg/dirdat/bb
TABLE SALES.*;
-- Encrypt this trail with AES-192.
ENCRYPTTRAIL AES192
EXTTRAIL /ogg/dirdat/aa
TABLE FIN.*;

Example 9-2 Data Pump 1 Parameter File

EXTRACT 1pump
USERIDALIAS ogg
DISCARDFILE /ogg/1pmp.dsc, PURGE
-- Decrypt the trail this pump reads. Use encryption key mykey1.
DECRYPTTRAIL AES192
-- Encrypt the trail this pump writes to, using AES-192.
RMTHOSTOPTIONS myhost1, MGRPORT 7809
ENCRYPTTRAIL AES192
RMTTRAIL /ogg/dirdat/cc
TABLE FIN.*;

Example 9-3 Data pump 2 Parameter File

EXTRACT 2pump
USERIDALIAS ogg
DISCARDFILE /ogg/2pmp.dsc, PURGE
RMTHOST myhost2, MGRPORT 7809
RMTTRAIL /ogg/dirdat/dd
TABLE SALES.*;

Example 9-4 Replicat1 (on myhost1) Parameter File

REPLICAT 1deliv
USERIDALIAS ogg
ASSUMETARGETDEFS
DISCARDFILE /ogg/1deliv.dsc, PURGE
-- Decrypt the trail this Replicat reads. Use encryption key mykey2.
DECRYPTTRAIL AES192
MAP FIN.*, TARGET FIN.*;

Example 9-5 Replicat 2 (on myhost2) parameter file

REPLICAT 2deliv
USERIDALIAS ogg
ASSUMETARGETDEFS
DISCARDFILE /ogg/2deliv.dsc, PURGE
MAP SALES.*, TARGET SALES.*;

Parent topic: Encrypting Data with the ENCKEYS Method