Data encryption considerations
Encryption and CDC Replication can be viewed in two major contexts: data transmission and data storage.
Data storage
For CDC Replication engines on Linux®, UNIX and Windows platforms, the majority of CDC Replication metadata is stored in an embedded database in your CDC Replication installation directory. A small portion of CDC Replication metadata is stored in your database which is not encrypted. For CDC Replication engines on z/OS® and IBM® i platforms, CDC Replication metadata is stored in your database and is not encrypted. For all CDC Replication replication engines, user credentials are obfuscated using the standard DES algorithm.
CDC Replication trace information is not encrypted, although user-sensitive information such as user names and passwords are removed from traces.
If you are interested in higher levels of encryption for stored data, you can deploy an encrypted file system.
Data transmission
CDC Replication encrypts communication with TLS when TLS is configured on both ends of the connection. You can configure CDC Replication to either negotiate TLS encryption through STARTTLS or to always encrypt with TLS, but you cannot configured CDC Replication for both methods at the same time. Table 1 shows the compatibility of the different CDC Replication encryption options:
| Unsupported | Disabled | Enabled | Required | Always | |
|---|---|---|---|---|---|
| Unsupported | Unencrypted | Unencrypted | Unencrypted | Incompatible | Incompatible |
| Disabled | Unencrypted | Unencrypted | Unencrypted | Incompatible | Incompatible |
| Enabled | Unencrypted | Unencrypted | Encrypted | Encrypted | Incompatible |
| Required | Incompatible | Incompatible | Encrypted | Encrypted | Incompatible |
| Always | Incompatible | Incompatible | Incompatible | Incompatible | Encrypted |
CDC Replication provides four encryption options: Disabled, Enabled, Required, and Always. These four options are sometimes configured differently. Table 2 shows how the various TLS encryption options map to different applications and settings.
| Application and settings | Equivalent |
|---|---|
| Older versions of CDC Replication | Unsupported |
| Access Server with enableTLS=false | Disabled |
| Access Server with enableTLS=true and datastoresAlwaysTLS=false | Enabled |
| Access Server with enableTLS=true and datastoresAlwaysTLS=true | Always |
| z/OS AT-TLS with ApplicationControlled On | Enabled |
| z/OS AT-TLS with ApplicationControlled Off | Always |
You can also use externally secured encryption channels such as SSH tunneling or hardware VPN endpoints. Because of the volume of data that is transmitted by the product and the computational requirements of encryption, hardware-based encryption is optimal for most deployments of CDC Replication.