Default: The default value depends upon the combination of encryption-related parameters that are used. To enable encryption, either the ENCRYPTION
or ENCRYPTION_PASSWORD
parameter, or both, must be specified.
If only the ENCRYPTION_PASSWORD
parameter is specified, then the ENCRYPTION
parameter defaults to ALL
.
If only the ENCRYPTION
parameter is specified and the Oracle encryption wallet is open, then the default mode is TRANSPARENT
. If only the ENCRYPTION
parameter is specified and the wallet is closed, then an error is returned.
If neither ENCRYPTION
nor ENCRYPTION_PASSWORD
is specified, then ENCRYPTION
defaults to NONE
.
Purpose
Specifies whether to encrypt data before writing it to the dump file set.
Syntax and Description
ENCRYPTION = [ALL | DATA_ONLY | ENCRYPTED_COLUMNS_ONLY | METADATA_ONLY | NONE]
ALL
enables encryption for all data and metadata in the export operation.
DATA_ONLY
specifies that only data is written to the dump file set in encrypted format.
ENCRYPTED_COLUMNS_ONLY
specifies that only encrypted columns are written to the dump file set in encrypted format. This option cannot be used in conjunction with the ENCRYPTION_ALGORITHM
parameter because the columns already have an assigned encryption format and by definition, a column can have only one form of encryption.
If you specify the ENCRYPTED_COLUMNS_ONLY
option, then the maximum length allowed for an encryption password (specified with ENCRYPTION_PASSWORD
) is 30 bytes.
If you specify the ALL
, DATA_ONLY
, or METADATA_ONLY
options or if you accept the default, then the maximum length allowed for an encryption password is 128 bytes.
To use the ENCRYPTED_COLUMNS_ONLY
option, you must have Oracle Advanced Security Transparent Data Encryption (TDE) enabled. See Oracle Database Advanced Security Guide for more information about TDE.
METADATA_ONLY
specifies that only metadata is written to the dump file set in encrypted format.
NONE
specifies that no data is written to the dump file set in encrypted format.
SecureFiles Considerations for Encryption
If the data being exported includes SecureFiles that you want to be encrypted, then you must specify ENCRYPTION=ALL
to encrypt the entire dump file set. Encryption of the entire dump file set is the only way to achieve encryption security for SecureFiles during a Data Pump export operation. For more information about SecureFiles, see Oracle Database SecureFiles and Large Objects Developer's Guide.
Oracle Database Vault Considerations for Encryption
When an export operation is started, Data Pump determines whether Oracle Database Vault is enabled. If it is, and dump file encryption has not been specified for the job, a warning message is returned to alert you that secure data is being written in an insecure manner (clear text) to the dump file set:
ORA-39327: Oracle Database Vault data is being stored unencrypted in dump file set
You can abort the current export operation and start a new one, specifying that the output dump file set be encrypted.
Restrictions
To specify the ALL
, DATA_ONLY
, or METADATA_ONLY
options, the COMPATIBLE
initialization parameter must be set to at least 11.0.0.
This parameter is valid only in the Enterprise Edition of Oracle Database 11g or later.
Data Pump encryption features require that the Oracle Advanced Security option be enabled. See Oracle Database Licensing Information for information about licensing requirements for the Oracle Advanced Security option.
Example
The following example performs an export operation in which only data is encrypted in the dump file:
> expdp hr DIRECTORY=dpump_dir1 DUMPFILE=hr_enc.dmp JOB_NAME=enc1 ENCRYPTION=data_only ENCRYPTION_PASSWORD=foobar