â1. Encrypting Data with the Master Key and Wallet Method
- Users have to create a master-key wallet and add a master key to the wallet.
- Oracle GoldenGate automatically generates a new encryption key and use it to encrypt every new trail file. The encryption key is included in the trail header and is encrypted using the master key.
- Oracle GoldenGate on the target will decrypt the encryption key with the shared master key, and then use the encryption key to decrypt the trail file.
â1.1. Create the Master Key
First, you need to create a wallet once, add the master keys to the wallet and then copy the cwallet.sso file to all the systems (at WALLETLOCATION defined by GLOBALS with default to be dirwlt folder) that run Oracle GoldenGate or put the cwallet.sso file to a shared storage accessible by all Oracle GoldenGate systems.
You can manage the master keys in GGSCI. The following example shows how you can check the masterkey details.
You can use the ENCRYPTTRAIL parameter in Extract (including the Pump) parameter file to encrypt the trail files. If you don't specify the MASTERKEYNAME in the GLOBALS, Oracle GoldenGate will use the default master key named OGG_DEFAULT_MASTERKEY. If you don't specify the AES cipher name, AES128 is used.
2. Encryption with the Encryption Files (ENCKEYS) Method
- Users need to create the ENCKEYS and copy the file to all of the related Oracle GoldenGate systems.
- Oracle GoldenGate use the defined encryption key encrypt the trail files.
- Oracle GoldenGate on the target will decrypt the encryption key.
Oracle GoldenGate provides the keygen utility to generated encryption keys. The following example creates a AES256 key and create a new ENCKEYS file.
You can use any text editor to add the key names to the ENCKEYS file. The example defines the key name to be keyaes2561.
You have to copy the ENCKEYS file to every system where the encryption and decryption are performed.
2.4 Using the Encryption Key
âIn the extract and replicat parameter files, you can use the ENCRYPTTRAIL and DECRYPTTRAIL parameters with the KEYNAME to configure the encryption and decryption. The following is an example extract parameter file:
- Oracle GoldenGate 12.1.2 Documentation: 11.2 Encrypting Data with the Master Key and Wallet Method
- Loren Penton, Masking Sensitive Data with Oracle GoldenGate, Oracle A-Team Blog
- Oracle Documentation, Database Advanced Security Administrator's Guide, 9 Using Oracle Wallet Manager