Configuring native encryption in an HADR environment
When you are encrypting a Db2® HADR configuration, it is important to remember that you are encrypting more than one database. Both the primary and standby databases need to be encrypted to provide the highest level of security.
Before you begin
It is possible to run an encrypted primary database and an unencrypted standby database. However, this configuration is recommended only if the standby database does not need to access any of the files that are encrypted on the primary. An example of such an encrypted file is an archived transaction log file.
While the primary and standby databases each have an independent, unique data encryption key, they must also have access to the same master key (MK). This access ensures that the MK label can flow between the databases when a MK rotation is done, and when the primary and standby databases need to access shared encrypted files.
It is recommended that all of the databases in an HADR environment have access to the same keystore. This can be a PKCS12 key store on a shared file system, or a centralized key store such as a KMIP key manager or PKCS11 hardware security module. It is not recommended to use separate PKCS12 key stores, since they must be manually kept in sync. In cases where a centralized keystore is being used, the databases might each be configured to treat different clones of the same keystore as their primary keystore.
It is also recommended that you consider implementing encryption for the HADR communication as well, to ensure that the data is never exposed. Refer to Configuring TLS for the communication between primary and standby HADR servers for setup instructions.
Procedure
To implement an HADR relationship for encrypted database, take the following steps: