Data encryption
The Db2® database system offers several ways to encrypt data, both while in storage, and while in transit over the network.
Encrypting data at rest
Important: The DATA_ENCRYPT authentication type is
deprecated and might be removed in a future release. To encrypt data in-transit between clients and
Db2 databases, we recommend that you use the
Db2 database system support of Transport Layer Security (TLS). For more
information, see Encryption of data in transit
You
have the following options for encrypting data at rest: - You can use Db2 native encryption to encrypt your databases and backup images.
- You can use IBM® InfoSphere® Guardium® Data Encryption to encrypt the underlying operating system data and backup files.
- You can use encrypted file system (EFS) to encrypt your operating system data and backup files. Use EFS if you are running a Db2 system on the AIX® operating system, and you are interested in file-level encryption only.
Encrypting data in transit
To encrypt data in-transit between clients and Db2 databases, use the Db2 database system support of Transport Layer Security (TLS).
Attention: TLS was developed in 1999
as the successor to the popular encryption protocol Secure Socket Layer (SSL). Because of the
popularity of SSL, the acronym is now synonymous with encryption technology and by association,
TLS. As a
result, some Db2 commands and database objects that are related to TLS encryption still
contain 'ssl' in their names. However, Db2 does not use the SSL
protocol for data encryption. Any references to SSL in this guide can be interpreted as TLS.
- We
recommend that you use Db2 support for TLS to encrypt
communication between the following:
- Db2 clients and servers
- Primary and Standby nodes in a Db2 HADR environment
- Db2 clients
and a Db2
Federation serverNote: Db2 Federation Server also supports TLS encryption of outbound transmissions to some data sources.
Note: DATA_ENCRYPT and SERVER_ENCRYPT with DES use algorithms that are not
compliant with NIST SP 800-131A. If you must comply with NIST SP 800-131A, they must not be used. If
compliance to NIST SP 800-131A is not an issue, they are still valid.