Migrating an existing unencrypted Db2 database to an encrypted database

To migrate your existing unencrypted Db2 to an encrypted database, perform the following steps:

Procedure

  1. Back up your existing unencrypted Db2 database. For example: 
    db2 backup database <database_name>
  2. Do any of the following:
    • Upgrade your existing Db2 installation. For example:
      ./installFixPack

    • Perform a fresh Db2 installation. For example:

      ./db2setup
  3. Create an encryption key for the upgraded or fresh Db2 installation. For example: 
    gsk8capicmd -keydb -create -db /home/db2/ccardskeystore.p12
  -pw Str0ngPassw0rd –strong -type pkcs12 –stash;
    Note: The command name may vary based on the operating system. For example, on a 64 bit operating system use this command
    gsk8capicmd_64 -keydb -create -db /localhome/db2inst2/pdesignkeystore.p12
  -pw Str0ngPassw0rd -type pkcs12
  4. Configure the Db2 instance to use the new keystore. For example: 
    db2 update dbm cfg using keystore_type pkcs12 keystore_location /localhome/db2inst2/pdesignkeystore.p12
  5. Start the Db2 instance using the new keystore. For example: 
    db2start open keystore USING Str0ngPassw0rd
  6. Restore and encrypt the Db2 backup that you created in Step 1. For example: 
    db2 restore database <database name> encrypt