CDC Replication and Transparent Data Encryption

The CDC Replication Engine for Oracle databases supports replication of encrypted data that is generated by Transparent Data Encryption on Oracle versions between 11gr2 and 18c.

The CDC Replication Engine for Oracle databases does not support replication from encrypted table spaces on Oracle 19c and later, but you can still replicate changes from encrypted columns in a table that is not in an encrypted table space. The CDC Replication Engine for Oracle XStream supports Transparent Data Encryption for both encrypted table spaces and encrypted table columns on Oracle version 19c and newer.

To replicate changes from encrypted table spaces on Oracle 19c and later, use the CDC Replication Engine for Oracle XStream.

If you cannot migrate to the CDC Replication Engine for Oracle XStream, use the workarounds described below. Replication of version 12c to 18c data that uses column encryption and table space encryption are supported by CDC Replication Engine for Oracle databases at Version 11.4.0.2-5101 and later.

To replicate encrypted data by using the CDC Replication Engine for Oracle databases, you must provide an Oracle master key. For an Oracle 12c container database, you need both the root database master key and the pluggable database master key.

Master keys are stored in the secrets.jks file in the CDC Replication keystore directory. The password that CDC Replication needs to access secrets.jks is stored in secrets.b64.

Important: These two files should be protected from unauthorized reads because they contain the input master key.

Oracle 19c considerations

The CDC Replication Engine for Oracle databases does not support replication of encrypted data that is generated by Transparent Data Encryption from encrypted table spaces on Oracle 19c and later. You can still replicate changes from encrypted columns in a table that is not in an encrypted table space and in the specific scenarios described below.

  • If you must upgrade to Oracle 19c, maintain your Oracle database in 18c compatibility level prior to upgrading to 19c if update patches must be applied. By doing so you will not enable the new changes that Oracle made to log encryption. For more details, see Considerations for InfoSphere Data Replication for Oracle and Oracle 19c upgrade changes.
  • If Oracle 19c is already in use and TDE cannot be disabled, limited support for replication of non-TDE data might be possible. CDC Replication Engine for Oracle databases requires that your configuration meet the following conditions:
    • In-scope tables cannot be in encrypted table spaces.
    • Any DML changes to the tables must be in a transaction that does not include DML changes from an encrypted table. For example, if table T1 is in a normal table space and table T2 is in an encrypted table space, if DML changes on T1 and T2 are in the same transaction then Oracle might encrypt the log entry for the changes to T1.

If you need to replicate changes from an Oracle 19c or later database with TDE enabled, consider migrating to using the CDC Replication Engine for Oracle XStream as a long-term solution to avoid the limitations that are mentioned here.