Db2 native encryption

Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media.

Important:

In response to CVE-2023-32342, for connections to KMIP key managers, Db2 releases with KI DT223175 uses the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange by default, as the FIPS certified ICC is vulnerable to CVE-2023-32342. Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode.

Note: The FIPS certified ICC is unavailable on 32-bit and MacOS platforms. Db2 automatically switches to using the non-FIPS ICC if on those platforms.

In strict FIPS mode, Db2 releases with KI DT223175 disables all TLS ciphers and versions that are vulnerable to CVE-2023-32342.

The following restrictions will apply to connections to KMIP key managers when strict mode is enabled in Db2 releases that contain KI DT223175:
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, the SSL environment fails to initialize. For instances using RSA certificates, the SSL_CIPHERSPECS DBM CFG parameter must be configured to use TLS_ECDHE_RSA ciphers for no certificate changes to be required.

  • TLS 1.3 is unaffected by CVE-2023-32342

Enabling strict FIPS mode is done by setting the DB2AUTH registry variable to STRICT_FIPS. If the DB2AUTH variable is already set, multiple options can be separated by commas. For further details on strict FIPS mode, refer to Industry Standards

Encryption is a key component in the protection of offline data. Many government regulations and industry standards require its use.

Db2 native encryption features:
  • simple deployment
  • does not require changes to the data schema or database applications
  • free use on all supported Db2 platforms and configurations.
The encryption capabilities that are used by Db2 are FIPS 140-2 certified and employ NIST SP 800-131A compliant cryptographic algorithms. Db2 also automatically detects and uses any underlying CPU hardware acceleration for encryption when available.
When you encrypt a database, Db2 native encryption protects all files that contain your data, such as:
  • All table spaces (both system-defined and user-defined)
  • All types of data in a table space (including LOB and XML data types)
  • All transaction logs, including archived log files
  • LOAD COPY data
  • LOAD staging files
Db2 native encryption can also be used to encrypt database backups, even if the source database is not encrypted.