Encrypting an existing database

To encrypt the data in an existing, unencrypted database, you must create a backup image of the database, drop it, and then restore it into an encrypted database.

Procedure

To encrypt an existing database:

  1. Create a keystore. If you are using a local key manager. If you are using a centralized key manager, ensure you have set up a centralized KMIP or PKCS #11 keystore.
  2. Configure the database instance with the new keystore.
  3. Generate a backup image of the database you would like to encrypt:
    db2 backup database <database_name>
  4. Drop the original copy of the database you wanted to encrypt:
    db2 drop database <database_name>
  5. Restore the backup image into a new encrypted database:
    db2 restore database <database_name> into <new_database_name> encrypt
    Note: This example uses the default set of RESTORE DATABASE encryption options to complete the restore process. For a full set of available encryption and master key options, see RESTORE DATABASE.

Results

The new database will contain the same information as the original, except with encrypted data.