Create and Apply Encryption Profile in a Deployment

In Oracle GoldenGate, the encryption profile is used to define, which trail encryption method to use.

An encryption profile is the configuration information that is used to retrieve a master key from a local wallet or a Key Management Service (KMS) such as OKV or OCI KMS. Encryption profile configuration is only available with Microservices Architecture.

Following methods are available for managing encryption of master keys:

Local Wallets
Key Management Systems:
- Oracle Key Vault
- Oracle Cloud Infrastructure

Each Extract and Replicat process is associated with an encryption profile. The default encryption profile is stored in the local wallet, if you haven't specified any other encryption profile.

If you use a different encryption profile, which uses a KMS, then it includes all the information necessary to connect and authenticate to the KMS server. It also contains the details necessary to retrieve a particular master key that will be used for encryption and decryption. Any KMS uses an authentication token to access their APIs. Oracle GoldenGate Microservices Architecture stores this access token as a credential. This credential is created using the encryption profile in Microservices Architecture.

Oracle Golden Gate processes need to make a request to the Key Management Service (KMS) each time a trail file is opened.

For Oracle Key Vault (OKV), the encryption profile parameter time to live (TTL) is used to keep the master key on memory until TTL has been reached.
In OCI KMS, the actual master key is never returned and instead the client sends the data to encrypt or decrypt. Thereafter, the server returns the result to the client.

An encryption profile is used by the Oracle GoldenGate processes to encrypt or decrypt depending on whether the processes are writing or reading trail files.

Extract: Encrypt (writer)
Replicat: Decrypt (Reader)
Distribution Service Path (DISTPATH): Encrypt/Decrypt (Writer/Reader).
LogDump: Decrypt (Reader)

Requirements for Setting up an Encryption Profile

This topic describes the requirements when configuring an encryption profile in Oracle GoldenGate.

You can create multiple encryption profiles within a deployment, but an Oracle GoldenGate process (Extract, Replicat, distribution path) can only use one encryption profile at a time. For distribution paths using filtering, decryption is done to apply the filters but the output trail file remains encrypted. In PASSTHRU, a distribution path will not attempt to use the encryption profile or decrypt the trail file unless explicitly specified.

Any of the existing encryption profiles within a deployment can be set as the default profile. This default profile is only relevant during the creation of an Extract, Replicat or Distribution Path processes. If an encryption profile is not explicitly specified during the creation of a process, the current default profile is assigned to the new process. Changing the default profile does not update the encryption profile assigned to any existing Oracle GoldenGate processes.

Note:

It is advised not to change the encryption profile or master key of a process that has already processed trail files.

The Administration Service web interface allows you to manage your encryption profiles. You cannot modify an encryption profile. If you need to change it, you must delete and add a new profile using the Administration Service.

You can configure encryption profiles from the Administration Service or the Admin Client.

Tool to Set up Encryption Profile Description

Tool to Set up Encryption Profile	Description
Administation Service	To configure the encryption profile using the Administration Server, see Configure an Encryption Profile.
Admin Client	The Admin Client commands used to set up the encryption profile for Extract, Replicat, and Distribution Path, include: `ADD ENCRYPTIONPROFILE`, `ALTER ENCRYPTIONPROFILE`, `DELETE ENCRYPTIONPROFILE`, `INFO ENCRYPTIONPROFILE`. In addition, the `ADD` or `ALTER` the Extract, DISTPATH, or Replicat commands have been modified to include the parameter `ENCRYPTIONPROFILE encryption-profile-name`. To know more, see Admin Client Command Line Interface Commands in Command Line Interface Reference for Oracle GoldenGate.

Administation Service

To configure the encryption profile using the Administration Server, see Configure an Encryption Profile.

Admin Client

The Admin Client commands used to set up the encryption profile for Extract, Replicat, and Distribution Path, include:

ADD ENCRYPTIONPROFILE,

ALTER ENCRYPTIONPROFILE,

DELETE ENCRYPTIONPROFILE,

INFO ENCRYPTIONPROFILE.

In addition, the ADD or ALTER the Extract, DISTPATH, or Replicat commands have been modified to include the parameter ENCRYPTIONPROFILE encryption-profile-name.

To know more, see Admin Client Command Line Interface Commands in Command Line Interface Reference for Oracle GoldenGate.

How to Edit the Local Wallet Encryption Profile

The Local Wallet encryption profile is the default encryption profile for a deployment. You can add a new master key to replace the existing one. Here are the steps to configure the local wallet options:

Click Encryption from the left navigation pane of the Administration Service.
Select Local Wallet. The Local Wallet Profile page is displayed.
To replace the existing master key, click the plus sign next to the Master Keys section. A confirmation box is displayed to replace the current master key.
Click OK to change the master key.

Configure an Encryption Profile

Oracle GoldenGate Administration Service provides options to set up encryption profiles for Extract and Replicat processes.

Use the following steps to create an encryption profile using Oracle Key Vault (OKV) or OCI Key Management System (OCI KMS) options:

Click Encryption from the left navigation pane of the Administration Service.

Click the plus sign + next to OKV or OCI KMS to create an encryption profile for any of these methods. Specify the following details for the OKV configuration:

Option	Description
Profile Name	Name of the encryption profile
Description	Describe the encryption profile.
Default Profile	If you want to make this profile the default, then enable this option.
Encryption Profile Type	Available options are Oracle Key Vault (OKV) and Oracle Cloud Infrastructure (OCI).

Before you set up OKV, you need to perform a client installation. See Step 1: Configure the Oracle Key Vault Server Environment in the Oracle Key Vault Administrator's Guide.

OKV Configuration Options	Options to set up Oracle Key Vault (OKV)
KMS Library Path	Specify the directory location where Oracle Key Vault is installed.
Oracle Key Vault Version	Specify the supported Oracle Key Vault version.
Masterkey Name	Specify the name of the master key
Time to Live	Time to live (TTL) for the key retrieved by Extract from KMS. When encrypting the next trail, Extract checks if TTL has expired. If so, it retrieves the latest version of the master key. The default is 24 hours.

OCI KMS requires registering of the private/public key (API Signing Key) for accessing the REST API on the Server on which Oracle GoldenGate is deployed. Here are the options to set up the OCI KMS encryption profile.

See Registering and Managing Keys for OCI KMS.

OCI KMS Configuration Options	Options to set up an OCI KMS.
Crypto Endpoint URL	You can access this from the OCI KMS Vault wizard. See OCI Command Line Reference and Managing Keys in OCI Documentation to know more.
Tenancy OCID	When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for your company, which is a secure and isolated partition within Oracle Cloud Infrastructure where you can create, organize, and administer your cloud resources. See Key Concepts in OCI Documentation to learn more.
Key OCID	See the OCI Documentation for details.
User OCID	See the OCI Documentation for details.
API Key	A credential for securing requests to the Oracle Cloud Infrastructure REST API.
API Key Fingerprint	See Required Keys and OCIDs in the OCI documentation for details.