To encrypt the data in an existing, unencrypted database, you must create a backup image
of the database, drop it, and then restore it into an encrypted database.
Procedure
To encrypt an existing database:
-
Create a keystore. If you are using a local key manager. If
you are using a centralized key manager, ensure you have set up a centralized KMIP or PKCS #11
keystore.
-
Configure the database instance with the new keystore.
-
Generate a backup image of the database you would like to encrypt:
db2 backup database <database_name>
-
Drop the original copy of the database you wanted to encrypt:
db2 drop database <database_name>
-
Restore the backup image into a new encrypted database:
db2 restore database <database_name> into <new_database_name> encrypt
Note: This example uses the default set of
RESTORE DATABASE encryption options
to complete the restore process. For a full set of available encryption and master key options, see
RESTORE DATABASE.
Results
The new database will contain the same information as the original, except with encrypted
data.