Informix 12.10.xC8 was released earlier this month (December 2016). The key feature in this release is Encryption at Rest (EAR). EAR provides disk level encryption for all the various spaces used by your Informix server. Encryption is performed at the lowest level, during the disk I/O operations, when data is read from or written to disk.
EAR is useful in most situations. We strongly recommend using EAR in IoT environments however, where your Informix server is located at the edge of your IoT architecture. These are typically locations inside a factory, or attached inside a delivery truck. The risk of physical loss of the device from theft is much more likely in these environments than inside a server room.
We’ve been working with several companies that are integrating Informix into their smart gateway/IoT edge devices, and so I wanted to test EAR and learn how to encrypt an existing database. The instructions looked simple, and the process really is. Here are the steps that I went though to encrypt the storage along with some “gotchas” and observations.
I started the process by upgrading our environment (Intel Atom 64 bit) from 12.10.xC7 to xC8. I just did an update in place. (I had performed a backup previously). You’ll notice conversion messages in your log after upgrading to xC8. These are due to structure changes needed to support EAR.
Once my system was up and running with xC8, I performed a whole system backup using onbar. Our environment already had onbar and PSM set up, and so this was a simple command line invocation: onbar -b -w
I then shutdown the server using: onmode -k
In the $ONCONFIG file, I created a new entry for DISK_ENCRYPTION. This entry takes a key value pair as the parameter. Using the key of "keystore" is important. The name of your keystore is up to you (My keystore was called tgm_keystore). The entry looks like this: DISK_ENCRYPTION keystore=tgm_keystore
The first time I did this, I forgot the keyword “keystore”. There were some error messages thrown, but I did end of with a keystore file with a generated name in my $INFORMIXDIR/etc/ directory. Since I was not sure whether everything worked correctly, I ended up deleting all my dbspaces and then using the UNIX touch command to recreate them as 0 length files, and starting over. Make sure the UNIX file permissions are 660 with chmod. (It is comforting to know have that whole system backup :) )
Restore the (whole system) database using onbar. The new option is the -encrypt flag. The command looks like this: onbar -r -encrypt -w
If you forget the –encrypt flag, the system will be restored, but the spaces will not be encrypted. (I know about this too :) ). When onbar finishes, it will leave the server in quiescent mode. To move the server to multi-user mode use: onmode -m
All of your dbspaces should now be encrypted. You will now find two new files in $INFORMIXDIR/etc - one is tgm_keystore.p12 (the keystore file) and the other is tgm_keystore.sth (the Master Key stash file that contains the encrypted info to decrypt the keystore file). Both of these files have 600 file permissions.
You can now check that encryption is enabled in the server by using: oncheck -pr | head -15. This will dump reserved pages (first 15 lines). In the output you can see that "Encryption-at-rest is enabled using cipher 'aes128' "
You can also check whether specific dbspaces are encrypted using: onstat -d
This output shows a row for each dbspace. In the "flags" column, you will see the letter 'E', which means the dbspace is encrypted.
At this point, your xC8 server is configured to support encryption at rest and your existing dbspaces are all encrypted and you are ready to go. If are starting with a new environment, the process is even simpler, as you don’t need to encrypt your existing dbspaces. See the Knowledge Center for information on that situation, or more information on what is described above.
We’ll have lots more information on EAR and other Informix security topics at the upcoming IIUG conference in Raleigh, North Carolina (April 23-27, 2017). See you there!