Keystore access by Db2 native encryption

Whenever Db2® needs access to the Data Encryption Key (DEK), the Master Key (MK) is used to decrypt the DEK, which requires the keystore to be opened to access the MK. Depending on the type of keystore being used, the MK is either fetched from the keystore into Db2 for decryption of the DEK, or the DEK is shipped to the keystore for decryption.

The keystore access requests occur independently from each Db2 member that is associated with the active database. The connection to the keystore, which is established by an access request, is maintained during the requested action and is then released.

If the keystore is not available, Db2 attempts the request again on any keystore clones that are defined. If none exist, Db2 attempts the request again on the primary keystore for a configurable number of retry attempts. If the retry attempts fail, then Db2 returns an error. Some keystore access errors are fatal, such as those that occur during encryption of database files or transaction logs. In this scenario, the database will be brought down to prevent data inconsistency.

The following are some of the points where access to the keystore is required by Db2:
  • db2start
  • Create Database
  • Database start (for example, first connect to, or activation of, a database)
  • Transaction log file access (for example, first use)
  • Backup of a database
  • Restore of a database
  • Roll forward
The frequency of access to the keystore varies, depending on the specific processing that is occurring within Db2. This frequency can change in subsequent updates to Db2. In places where Db2 knows that it requires multiple accesses to the DEK, some caching of the DEK occurs in memory to reduce the impact on Db2 performance.
Note: Db2 V.11.1.3.3 significantly reduces the number of keystore accesses required for transaction logs, during the database start.