Optimize security with the automatically generated master encryption key

Beginning with IBM Spectrum Protect™ Version 8.1.2, a master encryption key is automatically generated when you start the server if the master encryption key did not previously exist.

The newly generated master encryption key is stored in a new key database, dsmkeydb.kdb. If the server has an existing master encryption key, the key is migrated from the dsmserv.pwd file to the new key database. The automatic generation of the master encryption key and its storage in the new key database are designed to enhance system security. Server certificates are still stored in the cert.kdb key database and accessed by the stash file cert.sth.

You must protect both the key databases (cert.kdb and dsmkeydb.kdb) and the stash files (cert.sth and dsmkeydb.sth) that provide access to each of the key databases. By default, the BACKUP DB command protects the master encryption key, but you must remember the database backup password to restore the database. The IBM Spectrum Protect server dsmserv.pwd file, which was used to store the master encryption key in previous releases, is no longer used.