Setting up a centralized PKCS #11 keystore

To set up a PKCS #11 keystore for use with Db2® native encryption, begin by creating a PKCS #11 keystore configuration file.

Before you begin

  1. Install and configure the vendor software that lets you access the PKCS #11 keystore. Refer to Overview of Db2 native encryption for a list of supported key managers.
  2. Check the ability to connect to the PKCS #11 keystore by using vendor utilities. For example:
    • For SafeNet (formerly Luna) hardware security module (HSM), use vtl verify
    • For Entrust nShield HSM (formerly nCipher, formerly Thales), use enquiry

Procedure

  1. Create a PKCS #11 keystore configuration file
  2. Optional: Create a stash file

What to do next

Configure the Db2 instance to use this centralized PKCS #11 keystore to store database master keys for Db2 native encryption.