IBM Support

DB2LUW Simple steps to do backup/restore with Native Encrypted database

Technical Blog Post


Abstract

DB2LUW Simple steps to do backup/restore with Native Encrypted database

Body

Creating this blog  entry as I  noticed there are confusions in place on how to simply backup a native encrypted db2
database  and restore it to a different  place.

 

There are good documents in IBM site where steps are there when backup itself  to be encrypted,  or steps might not have specific details,
Example,
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0070021.html
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0070099.html
https://www.ibm.com/developerworks/data/library/techarticle/dm-1504-master-encrypted-keys/index.html


I  just wanted to document  a  simple case with basic command syntax when a general  backup and restore is the need.

================================================================================

Export the Encryption Key from source :

db2 connect to <source-db-name>

db2 -x "select master_key_label from table(sysproc.admin_get_encryption_info());"

 

This will give a result with a long key level which is used in export of the appropriate item from the keystore using the full path to the binaries so the proper gskit libraries are referenced:

An example,

<source-inst-home>/sqllib/gskit/bin/gsk8capicmd_64 -cert -export -db <key-store-file-location>/<key-store-file-name> -stashed -label <the-long-level-from-last-command> -target thedb.key

NOTE The thedb.key is not password-protected and does contain the encryption key that would allow your database to be restored elsewhere. Take appropriate precautions when storing or moving it.


Then backup the db from source :

db2 backup database <db-name>

 

Copy the thedb.key and backup image file to the target box and keep in a temp path.

 

Import the key in target from temp path to the local existing key store.

<target-inst-home>/sqllib/gskit/bin/gsk8capicmd_64 -cert -import -db <temp-path>/thedb.key -target <target-key-store-path>/<target-key-store-file-name> -target_stashed

 
Then, run the  restore with the target db :

db2 restore db  <db-name>  encrypt

====================================================================================
 

If there are no databases in target  then  just need to copy  the entire keystore file from source to target  and run  simple  backup and restore with  just   encrypt  option for the restore.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

UID

ibm11139920

Page Feedback