Data encryption

The Db2® database system offers several ways to encrypt data, both while in storage, and while in transit over the network.

Encrypting data at rest

Important: The DATA_ENCRYPT authentication type is deprecated and might be removed in a future release. To encrypt data in-transit between clients and Db2 databases, we recommend that you use the Db2 database system support of Transport Layer Security (TLS). For more information, see Encryption of data in transit
You have the following options for encrypting data at rest:
  • You can use Db2 native encryption to encrypt your databases and backup images.
  • You can use IBM® InfoSphere® Guardium® Data Encryption to encrypt the underlying operating system data and backup files.
  • You can use encrypted file system (EFS) to encrypt your operating system data and backup files. Use EFS if you are running a Db2 system on the AIX® operating system, and you are interested in file-level encryption only.

Encrypting data in transit

To encrypt data in-transit between clients and Db2 databases, use the Db2 database system support of Transport Layer Security (TLS).

Attention: TLS was developed in 1999 as the successor to the popular encryption protocol Secure Socket Layer (SSL). Because of the popularity of SSL, the acronym is now synonymous with encryption technology and by association, TLS. As a result, some Db2 commands and database objects that are related to TLS encryption still contain 'ssl' in their names. However, Db2 does not use the SSL protocol for data encryption. Any references to SSL in this guide can be interpreted as TLS.
  • We recommend that you use Db2 support for TLS to encrypt communication between the following:
    • Db2 clients and servers
    • Primary and Standby nodes in a Db2 HADR environment
    • Db2 clients and a Db2 Federation server
      Note: Db2 Federation Server also supports TLS encryption of outbound transmissions to some data sources.
Note: DATA_ENCRYPT and SERVER_ENCRYPT with DES use algorithms that are not compliant with NIST SP 800-131A. If you must comply with NIST SP 800-131A, they must not be used. If compliance to NIST SP 800-131A is not an issue, they are still valid.