Keystore access by Db2 native encryption
Whenever Db2® needs access to the Data Encryption Key (DEK), the Master Key (MK) is used to decrypt the DEK, which requires the keystore to be opened to access the MK. Depending on the type of keystore being used, the MK is either fetched from the keystore into Db2 for decryption of the DEK, or the DEK is shipped to the keystore for decryption.
The keystore access requests occur independently from each Db2 member that is associated with the active database. The connection to the keystore, which is established by an access request, is maintained during the requested action and is then released.
If the keystore is not available, Db2 attempts the request again on any keystore clones that are defined. If none exist, Db2 attempts the request again on the primary keystore for a configurable number of retry attempts. If the retry attempts fail, then Db2 returns an error.
- Create Database
- Database start (for example, first connect to, or activation of, a database)
- Transaction log file access (for example, first use)
- Backup of a database
- Restore of a database
- Roll forward