Creating an encrypted database

Create an encrypted database by specifying the ENCRYPT option when using the CREATE DATABASE command.

Before you begin

• If you are using a local key manager, configure IBM Global Security Kit (GSKit), then create the local keystore file and master key.
• If you are using a centralized keystore, with a key manager configured for the Key Management Interoperability Protocol (KMIP), configure the KMIP key manager and master key. You must also have TLS set up correctly between the KMIP key manager and your database server.
• If you are using a centralized keystore that utilizes a Hardware Security Module (HSM) configured for the PKCS #11 API, create a PKCS #11 keystore configuration file. You must also create a stash file to address operational concerns that involve access to PKCS #11 keystore credentials.

• To create an encrypted database with the default settings, specify the ENCRYPT keyword on the CREATE DATABASE command:

  db2 create db <encrypted_database_name> encrypt

• To create an encrypted database with custom settings, specify the ENCRYPT keyword with additional encryption options on the CREATE DATABASE command:

  db2 create db <encrypted_database_name> encrypt
    cipher aes key length <length_of_data_encryption_key>
    master key label <master_key_label>

  Where:

  • CIPHER cipher-name specifies the encryption algorithm that is to be used for encrypting the database.
  • KEY LENGTH key-length specifies the length in bits of the data encryption key that is to be used for encrypting the database.
  • MASTER KEY LABEL label-name specifies a label for the master key that is used to encrypt the database. If you specify this option, the master key must already exist. If you exclude this option, a master key for the database is automatically generated and added to the keystore.

Results

The information in your database can be accessed only by using the appropriate stash file or password.