1. Oracle GoldenGate Microservices Documentation
  2. Secure
  3. Oracle GoldenGate Security Features
  4. Secure Data at Rest

Secure Data at Rest

All customer related data such as trail files as well as any dependent/derived data such as Bounded Recovery, spilled/ staged out data on disk is maintained in an encrypted format in the Oracle GoldenGate environment.

Oracle GoldenGate uses different encryption techniques to secure data at rest. Encryption is done using a master key and supports the use of multiple master keys.

Trail File Encryption

Oracle GoldenGate provides AES-based methods for trail file encryption. Features for trail file encryption include:

  • ANSI X9.102 is the key wrap algorithm used for encapsulation encryption.

  • Data encryption key (DEK) for each trail file (Local key) is included.

  • An encrypted version of the local key is included in the trail file header, and a master key is used to encrypt the data encryption key.

  • Encryption levels are AES128, AES192, AES 256.

Oracle Key Management Services

Oracle GoldenGate offers the following methods for key management:

  • Local Wallet: The encryption master key is stored in the local wallet file.

  • Oracle Key Vault (OKV): The encryption master key is stored in Oracle Key Vault. This Oracle Key Vault service can reside on a different server than Oracle GoldenGate.

    The OKV method is highly recommended for on-premise Oracle GoldenGate trail encryption. This method is available with Oracle GoldenGate Microservices Architecture and requires defining an encryption profile in Oracle GoldenGate. See Using Oracle Key Vault Trail File Encryption in Oracle GoldenGate.

  • Oracle Cloud Infrastructure Key Management Service (OCI KMS): The encryption master key is stored in OCI KMS. Master key never leaves OCI KMS. This method is recommended if your Oracle GoldenGate deployment can access OCI KMS.

    This method works with Oracle GoldenGate Microservices Architecture and requires defining an encryption profile in Oracle GoldenGate. See Configure Oracle GoldenGate Processes to Enable OCI KMS Trail File Encryption.

Why Use KMS to Store Oracle GoldenGate Encryption Keys?

Oracle GoldenGate encryption of trail files is enhanced by using OKV or OCI KMS as the Key Management Service (KMS) to store master keys.

Each time Oracle GoldenGate creates a trail file, it generates a new encryption key automatically. This encryption key encrypts the trail contents. The master key encrypts the encryption key. This process of encrypting encryption keys is known as key wrap and is described in standard ANS X9.102 from American Standards Committee.

Key management refers to managing cryptographic keys within an enterprise. It deals with generating, exchanging, storing, using, and replacing keys as required. A KMS also includes key servers, user procedures, and protocols. The security of the enterprise is dependent upon successful key management.

The advantages of using KMS with Oracle GoldenGate are:

  • Centralized lifecycle management of master keys. You'll be able to generate and upload master keys to Oracle Key Vault directly using custom attributes and perform lifecycle maintenance tasks within the KMS directly.

  • Oracle GoldenGate doesn't need to store the master keys locally and is not involved in the lifecycle management of the master keys.

  • Oracle GoldenGate can leverage from the specialized KMS features that provide key management with several layers of security.