Supported encryption methods

This section describes which encryption methods Qlik Replicate supports when working with an Oracle source database, and details the requirements for HSM encryption support.

TDE encryption

Limitations and considerations

• NNE (Native Network Encryption) is supported as long as it is configured correctly both on Oracle and in the Oracle client sqlnet.ora file.
• Replication of columns encrypted with the 3DES168 algorithm is not supported.

HSM encryption

Prerequisites

• An Oracle DBA should install the PKCS #11 client on the Replicate machine and configure it to work with HSM.

• Define the AREP_HSM_LIB environment variable with a path to pkcs11 dll/so.

  Example:

  • set AREP_HSM_LIB=C:\Program Files\Vormetric\DataSecurityExpert\Agent\pkcs11\bin\vorpkcs11.dll

  • export AREP_HSM_LIB=/opt/cloudhsm/lib/libcloudhsm_pkcs11.so

Setup

Once the above prerequisites have been fulfilled, configure the Secret Store Names and Secret Store Values fields in the Oracle endpoint's General tab as follows:

1. Enter HSM in Secret Store Names field.
2. In the Secret Store Values field, set either crypto_username:password or just password depending on your HSM. For Oracle Key Vault, the password should be the same as the one used to install the okvclient.jar. The password or crypto_username:password combination are the same credentials that were used to create the TDE master key.

Limitations and considerations

• When working with Oracle Key Vault for Oracle 19, Oracle 19.17 full client or later must be installed.

  Information noteOracle Key Vault can be used with any HSM using the PKCS#11 API. Using Oracle Vault in OCI (Oracle Cloud Infrastructure) is not supported, as it does not provide a public PKCS#11 API.
• Replication of columns encrypted with the 3DES168 algorithm is not supported.