For DB2® Enterprise Server Edition running on the AIX® operating system you have the option to set up an encrypted database by using AIX encrypted file system (EFS). For detailed information about EFS, see your AIX documentation.
You can encrypt the operating system files that contain the data in database tables by using the underlying EFS with JFS2 file system.
Before you enable EFS, the clic.rte fileset must be installed. The clic.rte install image can be found on the Expansion Pack CD.
% efsenable -a
You need to run the efsenable command only once.
# lsuser abst
abst id=203 pgrp=abstgp groups=abstgp,staff ...
# efskeymgr -V
List of keys loaded in the current process:
Key #0:
Kind ..................... User key
Id (uid / gid) ......... 203
Type ..................... Private
key
Algorithm ................ RSA_1024
Validity ................. Key is
valid
Fingerprint ..............
24c88df2:d91cb6a2:c3e11b6a:4c13f8b4:666fabd8
Key #1:
Kind ..................... Group
key
Id (uid / gid) ......... 1
Type ..................... Private
key
Algorithm ................ RSA_1024
Validity ................. Key is
valid
Fingerprint ..............
03fead42:57e7646e:a1715626:cfa56c8e:8abed1c1
Key #2:
Kind ..................... Group
key
Id (uid / gid) ......... 212
Type ..................... Private
key
Algorithm ................ RSA_1024
Validity ................. Key is
valid
Fingerprint ..............
339dfb19:bc850f4c:5551c975:7fe4961b:2dddf3bc
This command prompts for the keystore password, which is initially set to the login password.
Both the user and group keys should be listed. If the group keystores are still not listed, continue with Step 4.
% efskeymgr -C group_name
% efskeymgr -k group /group_name -s user/user_name
If a user is already logged in, they will not immediately have access to the group keystore, and they should reload their keystore using the efskeymgr -o ksh command, or re-login.
EFS only runs on JFS2 file systems and must be specifically enabled.
% chfs -a efs=yes /foo
% crfs -v jfs2 -a efs=yes -m mount_point -d devide -A yes
EFS is now enabled on the file system but is not turned on. Turn on EFS only for the particular database tables requiring encrypted data (for more information, see your AIX EFS documentation about the efsmgr command and inheritance).
To determine which file contains a particular database table that you want to protect with EFS encryption, follow these steps that use the EMPLOYEE table as an example.
SELECT TABNAME, TBSPACEID FROM syscat.tables WHERE tabname='EMPLOYEE'
TABNAME | TBSPACEID |
---|---|
EMPLOYEE | 2 |
LIST TABLESPACE CONTAINERS FOR 2
Container ID | Name | Type |
---|---|---|
0 | /foo/abst/NODE0000/BAR/T0000002/C0000000.LRG | File |
You now know that this table space is contained in the operating system file called /foo/abst/NODE0000/BAR/T0000002/C0000000.LRG. This is the file you need to encrypt.
First, as you would do before making any major change to data or databases, back up your database.
Follow these steps to encrypt the file:
# ls -U /foo/abst/NODE0000/BAR/T0000002/C0000000.LRG
-rw-------- 1 abst abstgp 33554432 Jul 30 18:01
/foo/abst/NODE0000/BAR/T0000002/C0000000.LRG
# efsmgr -e /foo/abst/NODE0000/BAR/T0000002/C0000000.LRG
# ls -U /foo/abst/NODE0000/BAR/T0000002/C0000000.LRG
-rw-------e 1 abst abstgp 33554432 Jul 30 18:03
/foo/abst/NODE0000/BAR/T0000002/C0000000.LRG