Keystore selection

The first critical decision that must be made is which keystore to use to store the master key that is required by Db2® native encryption.

Db2 can integrate with several types of keystores, each with its own strengths and weaknesses that need to be evaluated against the projected needs of the database.

Choosing the keystore that is best for your environment depends on your current and future needs as well as the following key attributes:
  • Recovery options
  • Availability options
  • Flexibility
  • Direct cost
For example, using a local PKCS #12 keystore file is the least expensive option in terms of direct cost. However, it is also the option that requires you to implement all of the availability and recovery considerations that are needed for a keystore. A local PCKS #12 keystore file also requires more manual intervention when trying to share the same keystore across multiple members (for a Db2 pureScale® or partitioned database) or among databases (for HADR). This can mean that the indirect costs of using a local keystore file might far outweigh the savings in the direct costs. Using a more advanced keystore approach might be more expensive initially, but it provides you with the flexibility to easily share the keystore across the enterprise.