Restoring an encrypted backup image to a different system with a local key manager

To restore a backup image to a different system, the local keystore file on that system must have the master key that is used by all the entities that are involved in the restoration. The entities include the backup image and potentially the transaction log files from the source system. If the database on the target system is also to be encrypted, it too needs to reference a master key in the local keystore file on the target system.

About this task

A simple way to achieve this goal is to copy the keystore file securely from the source system to the target system. If needed, add a new master key to the target system for the new copy of the database. You can also copy the needed master keys to the target system and then add them to the local keystore file.

Procedure

The procedure depends on the security protocol:

When the source system keystore file is to be copied to the target system:
1. Use a secure copy protocol such as SCP to copy the keystore and its associated stash file from System A to System B. An SCP is available with most Secure Shell (SSH) implementations.
2. Update the value of the keystore_location database manager configuration parameter to point to the copied keystore on System B.
3. If a new master key is wanted for the new database copy:
  1. Have the System B administrator add the new master key for the database copy to the keystore on System B.
  2. Have the System B administrator restore the backup image on System B, specifying the new master key on the restore command:
```
db2 restore database <database_name> encropts 'Master 
Key Label=<systemB_admin_label>' 
encrypt cipher aes key length <key_length_in_bits> 
```
4. If using the same master key as the original database for the new copy, restore the backup image on System B:
```
db2 restore database <database_name> encrypt;
```
When the source system keystore file is not going to be used for the new system:
1. Add a new master key for the backup:
  1. Add a new master key to the local keystone file on the source system for use by the backup.
  2. Generate an encrypted backup on System A:
```
db2 backup database <database_name>
  encrypt encrlib 'db2encr.dll'
  encropts 'Master Key Label=<label_backup_admin>'
```
2. Extract the newly created master key from the key database:
```
gsk8capicmd_64 -secretkey -extract -db <source-key-database-path> -stashed -label <label_backup_admin> -format ascii -target <extracted-key-file>
```
3. Send the secret key file for the backup master key securely to the System B administrator.
4. Have the System B administrator add the key to the keystore on System B:
```
gsk8capicmd_64 -secretkey -add -db <destination-key-database-path> -stashed -label <label_backup_admin> -format ascii -file <extracted-key-file>
```
  Note: When adding the secret key used to encrypt the backup to the destination key database, the label used must be identical to the label of the secret key in the source key database.
5. If a new master key is wanted for the new database copy:
  1. Have the System B administrator add the new master key for the database copy to the keystore on System B.
  2. Have the System B administrator restore the backup image on System B specifying the new master key on the restore command:
```
db2 restore database <database_name> encropts 'Master Key Label=<systemB_admin_label>'
  encrypt cipher aes key length <key_length_in_bits>
```
6. If using the same master key as the backup for the database new copy, restore the backup image on System B:
```
 db2 restore database <database_name> encrypt; 
```