1. Command Line Interface Reference
  2. Admin Client Command Line Interface Commands
  3. ADD ENCRYPTIONPROFILE

ADD ENCRYPTIONPROFILE

Use ADD ENCRYPTIONPROFILE to add an encryption profile for Oracle Key Vault using Oracle GoldenGate.

An encryption profile is used to retrieve a master key from an external Key Management Service (KMS). You can choose between Oracle Key Vault (OKV) and Oracle Cloud Infrastructure Keys Management Service (OCIKMS).

If there is no explicitly defined encryption profile, then a Local Wallet is used as the default profile.

To know more, see What is an Encryption Profile?.

Syntax

ADD ENCRYPTIONPROFILE encryption-profile-name                    
                 ( OKV
                   ( OKVPATH dir-path
                     [ KEYNAMEATTRIBUTE key-name-attribute ]
                     [ KEYVERSIONATTRIBUTE key-version-attribute ]
                     [ OKVVERSION okv-version ]
                     MASTERKEY
                     [ NAME ] masterkey-name
                     [ VERSION masterkey-version ]
                     [ TTL ttl ] )
                   | OCIKMS
                    ( ENDPOINT endpoint
                      TENANCY tenancy-ocid
                      USER user-ocid
                      APIKEY api-key-file
                      FINGERPRINT fingerprint
                      KEY key-ocid ) )
                   [ DEFAULT ]
OKV options:
OKVPATH
Specifies the directory where Oracle Key Vault client is installed.
KEYNAMEATTRIBUTE

Custom attribute used in Oracle Key Vault server to specify the masterkey name

KEYVERSIONATTRIBUTE

Custom attribute used in Oracle Key Vault server to specify the masterkey version.

OKVVERSION okv-version

Oracle Key Vault (OKV) version with possible values as 18.1 and 21.4.

MASTERKEY [NAME]
Name of the master key. This value must match the key name in the KMS parameter in Oracle GoldenGate and cannot be changed once replication has started.
MASTERKEY [VERSION]
Version of the master key. This must be a numeric value.
OCI KMS
Endpoint

Specify the Cryptographic endpoint of the OCI KMS Vault.

Tenancy

Specify the tenancy OCID.

User

Specify the OCID for the user.

APIKEY

Specify the path to the file containing the OCI API Signing Key. The key is read from this file and sent to Oracle GoldenGate. If you need to change the OCI API KEY at some point, you can use the ALTER ENCRYPTIONPROFILE command.

KEY

Specify the key OCID that belongs to a key stored in your OCI KMS Vault, this is the key used by Oracle GoldenGate for encryption (trail encryption).

Fingerprint

Hash (MD5) of the API signing key.

DEFAULT
Specifies the current encryption profile. If you set DEFAULT YES then the encryption profile is set to be the current encryption profile. If you set DEFAULT NO then the encryption profile is removed. If there is no explicitly defined current encryption profile (you set as DEFAULT NO to the previously current one) then the implicitly default profile is LocalWallet.

Note:

Do not upload keys with duplicate values of KeyName and KeyVersion. At the time of startup, restart, or rollover, Oracle GoldenGate processes retrieve the highest KeyVersion value.