Enable encryption for a Replication-enabled source database that is online

To enable encryption for a Replication-enabled source database that is online, use the following procedure:

  1. Add the Encryption Policy Area to both the source database and target databases.
  2. Enable encryption.

    Use the following command:

    proutil source-db-name -C enableEncryption 
    [-Cipher cipher-name][-Autostart admin | user]
  3. Update the Encryption Policy as required.

    Use the following command:

    proutil db-name -C epolicy manage . . .

    Note that entering the command as shown above, without supplying any arguments, generates an error.

  4. Copy the source directory key store (source-db-name.ks) to the target machine and place it into the target database directory. (The source database key store was created when you enabled the database for transparent data encryption.)

Once encryption is enabled on the source database and the replication process resumes, the Replication agent performs various tasks that automatically enable encryption for the target database based on the specific encryption after-image notes it processes. During this processing, the Replication agent stops reading TCP/IP messages from the Replication server, which means that the Replication server is no longer reading after-image blocks until the target database keystore file is available.

This pause could result in the interruption of database updates on the source database. Source database interruption can be minimized or eliminated by copying the source database key store—db-name.ks—to the target database directory immediately after encryption is enabled on the source database.