Create a Keystore with onkstore
A keystore file is required by any instance that has the storage space encryption feature enabled. This keystore file has a “.p12” extension. It may also have an associated password stash file whose extension is “.sth”.
When referring to a keystore file with onkstore or in the value of the DISK_ENCRYPTION configuration parameter, always omit the “.p12” extension.
onkstore -create -file my_keystore -type local -cipher aes128
The result of that command is a file located in the $INFORMIXDIR/etc directory called my_keystore.p12, which contains a 128-bit (16 byte) encryption key. That p12 file is encrypted using a password, which must be provided interactively when prompted for. By default, the password is stored in a stash file. The path to the stash file is $INFORMIXDIR/etc/my_keystore.sth.
echo "sample_password" > pw_file
onkstore -file my_keystore -type local -cipher aes128 -pw pw_file
rm pw_file
The password must be at least 8 characters long. In this case “sample_passwd” would also be stashed encrypted in $INFORMIXDIR/etc/my_keystore.sth.
oninit -pw
Please enter current encryption password: sample_password
touch /tmp/mypassword
chmod 660 /tmp/mypassword
echo “sample_password” > /tmp/mypassword
oninit -pw /tmp/mypassword
rm /tmp/mypassword
onkstore -create -file /work/KEYSTORES/my_keystore -type local -cipher aes128
DISK_ENCRYPTION keystore=/work/KEYSTORES/my_keystore
Like $INFORMIXDIR/etc, the directory containing your keystore file must have ownerships of informix/informix.
DISK_ENCRYPTION keystore=my_keystore,cipher=aes256
The DISK_ENCRYPTION setting consists of comma-separated attributes and may contain no quotes or spaces.
onkstore -create -file my_aws_keystore -type AWS_EAR -cipher aes192
$ onkstore -create -file my_aws_keystore -type AWS_EAR -cipher aes192
Creating AWS EAR Keystore
AWS Key Id
>AKCAIPP520LF4AJBOTXA
AWS Key Secret
>TCEmlasjdflkjbasNHFAI6BHOwj4XHe50ic7LCt9
AWS Region
>us-east-1
AWS CMK Id
>16fd15d9-db8b-4cb7-9d99-d3070df97b58
SSM Key Location
>/informix/keys/aes192/key1
This is not your actual encryption key. They are merely pieces of information that when put together allow the server to access a particular encryption key stored in AWS. If the terms “CMK Id” and “AWS Region” are not familiar to you, it is because you do not yet have an AWS account set up. Familiarity with an AWS account you are able to manage is a prerequisite for creating a remote keystore file using onkstore.
onkstore -create -file my_ks -cipher aes192 -credential /tmp/my_creds.json
In
this case the /tmp/my_creds.json file would contain something like this:{
"Credentials" :
{
"Type" : "aws-ear",
"AWS Key Id" : "AKCAIPP520LF4AJBOTXA",
"AWS Key Secret" : "TCEmlasjdflkjbasNHFAI6BHOwj4XHe50ic7LCt9",
"AWS Region" : "us-east-1",
"AWS CMK Id" : "16fd15d9-db8b-4cb7-9d99-d3070df97b58",
"SSM Key Location" : "/informix/keys/aes192/key1"
}
}
If this command is run and the master encryption key does not exist in AWS at the specified location (/informix/keys/aes192/key1), onkstore will attempt to generate one and store it there. If the credentials point to an existing key, onkstore will create the keystore file and leave the key as-is.
The -pw argument works the same way with remote keystore file creation as it does with local keystore creation.
Do not use the AWS-BAR type when creating a keystore for use with the storage space encryption feature. This type of keystore is used with the Integrated Backup Encryption feature.