Configuring DB2 data encryption (optional)

DB2® native encryption encrypts your database, requires no hardware, software, application, or schema changes, and provides transparent and secure key management. You can add encryption during the upgrade process if it is not already configured.

About this task

Note: Data encryption is optional.


To encrypt the database:

  1. Open a DB2 command window.
    Option Description
    Linux Enter the following command, where db2user is the DB2 user:
    su -db2user
  2. If your system has multiple DB2 instances, you need to set the correct DB2INSTANCE to access the CFDB database. In the DB2 command window, enter the following command:
    Option Description
    set DB2INSTANCE=instance_name
  3. Verify whether the database is already encrypted:
    db2pd -db CFDB -encryptioninfo 
    If the database is encrypted, the Master Key Label is displayed. If the database is encrypted already, skip the remaining steps.
  4. Create the keystore by entering the following command:
    gsk8capicmd -keydb -create -db /db2_home/db2/cfdbkeystore.p12 -pw StrongPassword –strong -type pkcs12 –stash
    db2_home is the directory where DB2 is installed.
    • Linux operating system /home/db2 user/
  5. Configure the DB2 instance with the new keystore:
    db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2/cfdbkeystore.p12
  6. Generate a backup image the database:
    db2 backup database cfdb
  7. Drop the database:
    db2 drop database cfdb
  8. Restore the backup image into a new encrypted database:
    db2 restore database cfdb encrypt