Encrypting a new Db2 database

To set up encryption for a new Db2 database, perform the following setup and configuration steps.

About this task

For example, let's consider a client who is working on a project for which compliance with PCI DSS is mandatory. A new database named DARE contains the customer credit card information. The Db2 instance administrator is responsible for setting up encryption for the DARE database. The data must be encrypted with AES 192. As the database server is highly secure, stashing the keystore password is allowed. The administrator plans to regularly back up the keystore and its stash file.

Procedure

Create the keystore. For example:

gsk8capicmd -keydb -create -db /home/db2/ccardskeystore.p12
  -pw Str0ngPassw0rd –strong -type pkcs12 –stash;

Note: The command name may vary based on the operating system. For example, for a 64 bit operating system use the following command

gsk8capicmd_64 -keydb -create -db /localhome/db2inst2/pdesignkeystore.p12
  -pw Str0ngPassw0rd -type pkcs12

Configure the Db2 instance with the new keystore. For example:

db2 update dbm cfg using keystore_type pkcs12
  keystore_location /home/db2/ccardskeystore.p12

Create the DARE database with the encryption option. For example:
```
db2 create db dare encrypt cipher AES KEY LENGTH 192
```
A master key for the database is automatically generated and added to the keystore.
Back up the keystore and its related stash file, and store the backup copy in a safe location.

What to do next

Verify Db2 encryption

To check the encryption status of a particular database, use the ADMIN_GET_ENCRYPTION_INFO table function, which returns the current encryption settings for a database. For example:
```
SELECT * FROM TABLE (SYSPROC.ADMIN_GET_ENCRYPTION_INFO());
```

Retrieve the current database encryption settings. For example:

SELECT OBJECT_NAME, OBJECT_TYPE, ALGORITHM, ALGORITHM_MODE, KEY_LENGTH, MASTER_KEY_LABEL
   FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

This query returns the following output:

OBJECT_NAME      OBJECT_TYPE        ALGORITHM    ALGORITHM_MODE  KEY_LENGTH  MASTER_KEY_LABEL
---------------------------------------------------------------------------------------------------------------
DARE             DATABASE             AES        CBC             256      DB2_SYSGEN_db2inst1_DARE_2015-10-16-18.20.45

Retrieve the instance keystore settings. For example:

SELECT KEYSTORE_NAME, KEYSTORE_TYPE, KEYSTORE_HOST, KEYSTORE_IP, KEYSTORE_IP_TYPE
   FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

This query returns the following output:

KEYSTORE_NAME                          KEYSTORE_TYPE   KEYSTORE_HOST  KEYSTORE_IP KEYSTORE_IP_TYPE 
--------------------------------------------- -----------------------------------------------------
/localhome/db2inst1/ccardkeystore.p12     PKCS12         dublr270vm.dub.usoh.ibm.com ........... IPV4

Retrieve the last master key rotation operation information. For example:

SELECT PREVIOUS_MASTER_KEY_LABEL, AUTH_ID, APPL_ID, ROTATION_TIME
   FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

This query returns the following output:

PREVIOUS_MASTER_KEY_LABEL                       AUTH_ID      ...
----------------------------------------------- ------------ ...
DB2_SYSGEN_db2inst1_DARE_2015-10-16-18.20.45    DB2INST1     ...

Note: If your deployment is on sharded, you can choose to encrypt only the transaction, master, and metadata schemas as they contain sensitive data. The configuration and statistics schemas can be unencrypted. But this is only applicable if each of these schema are on different database instances. This is because, within the same database instance, Db2 allows the users to encrypt only at an instance level and not at the schema or table level.