Db2 native encryption
Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media.
In response to CVE-2023-32342, for connections to KMIP key managers, Db2 releases with KI DT223175 will use the non-FIPS ICC for TLS ciphers that use RSA key exchange by default, as the FIPS certified ICC is vulnerable to CVE-2023-32342.
Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 will disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.
- TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) will be disabled. All supported ECDHE ciphers will be enabled. For instances using RSA certificates, Db2 will automatically prefer TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
- TLS 1.3 is unaffected by CVE-2023-32342
Encryption is a key component in the protection of offline data. Many government regulations and industry standards require its use.
- simple deployment
- does not require changes to the data schema or database applications
- free use on all supported Db2 platforms and configurations.
- All table spaces (both system-defined and user-defined)
- All types of data in a table space (including LOB and XML data types)
- All transaction logs, including archived log files
- LOAD COPY data
- LOAD staging files