Encrypting passwords

In the Db2® system, passwords can be encrypted for both the host and the client by using the FIPS-140 compliant algorithms.

On the host side, passwords can be encrypted (and decrypted for verification during authentication) by using a host key, a symmetric key stored on the host in encrypted form. You can choose an encryption key in a keystore to be the host key.

On the client side, the dbpassword command is used to store the user passwords. Individual clients have unique client keys to encrypt the user passwords. For more information about dbpassword usage, see The dbpassword command.

When dbpassword is used for the first time, it generates a native client key, which is stored on the client machine and serves to encrypt the user passwords on the client. The administrator does not choose this key, it is generated by the system.