9 Encrypting Data with the ENCKEYS Method
To use this method of data encryption, you configure Oracle GoldenGate to generate an encryption key and store the key in a local ENCKEYS
file.
This method makes use of a permanent key that can only be changed by regenerating the algorithm, see Populating an ENCKEYS File with Encryption Keys.
The ENCKEYS
file must be secured through the normal method of assigning file permissions in the operating system.
This procedure generates an AES encryption key and provides instructions for storing it in the ENCKEYS
file.
Topics:
- Encrypting the Data with the ENCKEYS Method
- Decrypting the Data with the ENCKEYS Method
- Examples of Data Encryption using the ENCKEYS Method
Parent topic: Securing Oracle GoldenGate
Decrypting the Data with the ENCKEYS Method
Data that is encrypted over TCP/IP connections is decrypted automatically at the destination before it is written to a trail, unless trail encryption also is specified.
Data that is encrypted in the trail remains encrypted unless the DECRYPTTRAIL
parameter is used. DECRYPTTRAIL
is required by Replicat before it can apply encrypted data to the target. A data pump passes encrypted data untouched to the output trail, unless the DECRYPTTRAIL
and ENCRYPTTRAIL
parameters are used. If the data pump must perform work on the data, decrypt and encrypt the data as follows.
To Decrypt Data for Processing by a Data Pump
Add the DECRYPTTRAIL
parameter to the parameter file of the data pump. The decryption algorithm and key must match the ones that were used to encrypt the trail, see Encrypting the Data with the ENCKEYS Method.
DECRYPTTRAIL {AES128 | AES192 | AES256 | BLOWFISH}
To Encrypt Data After Processing by a Data Pump
To encrypt data before the data pump writes it to an output trail or file, use the ENCRYPTTRAIL
parameter before the parameters that specify those trails or files. Parameters that specify trails or files are EXTTRAIL
, RMTTRAIL
, EXTFILE
, and RMTFILE
. The ENCRYPTTRAIL
parameter and the trail or file specifications must occur after the DECRYPTTRAIL
parameter.
Note:
The algorithm specified with ENCRYPTTRAIL
can vary from trail to trail. For example, you can use AES 128 to encrypt a local trail and AES 256 to encrypt a remote trail.
To Decrypt Data for Processing by Replicat
If a trail that Replicat reads is encrypted, add a DECRYPTTRAIL
parameter statement to the Replicat parameter file. The decryption algorithm and key must match the ones that were used to encrypt the trail.
Parent topic: Encrypting Data with the ENCKEYS Method
Examples of Data Encryption using the ENCKEYS Method
The following example shows how to turn encryption on and off for different trails or files. In this example, Extract writes to two local trails, only one of which must be encrypted.
In the Extract configuration, trail bb
is the non-encrypted trail, so its EXTTRAIL
parameter is placed before the ENCRYPTTRAIL
parameter that encrypts trail aa
. Alternatively, you can use the NOENCRYPTTRAIL
parameter before the EXTTRAIL
parameter that specifies trail bb
and then use the ENCRYPTTRAIL
parameter before the EXTTRAIL
parameter that specifies trail aa
.
In this example, the encrypted data must be decrypted so that data pump 1pump
can perform work on it. Therefore, the DECRYPTTRAIL
parameter is used in the parameter file of the data pump. To re-encrypt the data for output, the ENCRYPTTRAIL
parameter must be used after DECRYPTTRAIL
but before the output trail specification(s). If the data pump did not have to perform work on the data, the DECRYPTTRAIL
and ENCRYPTTRAIL
parameters could have been omitted to retain encryption all the way to Replicat.
Example 9-1 Extract Parameter File
EXTRACT capt USERIDALIAS ogg DISCARDFILE /ogg/capt.dsc, PURGE -- Do not encrypt this trail. EXTTRAIL /ogg/dirdat/bb TABLE SALES.*; -- Encrypt this trail with AES-192. ENCRYPTTRAIL AES192 EXTTRAIL /ogg/dirdat/aa TABLE FIN.*;
Example 9-2 Data Pump 1 Parameter File
EXTRACT 1pump USERIDALIAS ogg DISCARDFILE /ogg/1pmp.dsc, PURGE -- Decrypt the trail this pump reads. Use encryption key mykey1. DECRYPTTRAIL AES192 -- Encrypt the trail this pump writes to, using AES-192. RMTHOSTOPTIONS myhost1, MGRPORT 7809 ENCRYPTTRAIL AES192 RMTTRAIL /ogg/dirdat/cc TABLE FIN.*;
Example 9-3 Data pump 2 Parameter File
EXTRACT 2pump USERIDALIAS ogg DISCARDFILE /ogg/2pmp.dsc, PURGE RMTHOST myhost2, MGRPORT 7809 RMTTRAIL /ogg/dirdat/dd TABLE SALES.*;
Example 9-4 Replicat1 (on myhost1) Parameter File
REPLICAT 1deliv USERIDALIAS ogg ASSUMETARGETDEFS DISCARDFILE /ogg/1deliv.dsc, PURGE -- Decrypt the trail this Replicat reads. Use encryption key mykey2. DECRYPTTRAIL AES192 MAP FIN.*, TARGET FIN.*;
Example 9-5 Replicat 2 (on myhost2) parameter file
REPLICAT 2deliv USERIDALIAS ogg ASSUMETARGETDEFS DISCARDFILE /ogg/2deliv.dsc, PURGE MAP SALES.*, TARGET SALES.*;
Parent topic: Encrypting Data with the ENCKEYS Method