About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Technical Blog Post
Abstract
Hands-on example for a new encrypted database
Body
For DB2 native database encryption, we have the following link but we do not have exact command output and cfg samples for this.
Therefore, I am sharing actual output of the commands for the database encryption and files by the commands.
As written in the link above, we should follow the steps below to make a new encrypted database.
-------------------------------------------
1. create keystore file(key database)
2. create database with 'ENCRYPT' option.
-------------------------------------------
Let me elaborate the detail of those 2 steps above.
1. create keystore file(key database)
1-1. create keystore file with stash file
$ /home2/db2ins35/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db ccardskeystore.p12 -pw Str0ngPassw0rd -strong -type pkcs12 -stash
1-2. stash files and keystore file
/home2/db2ins35/tst_encrypt> ls -al
total 16
drwxr-xr-x 2 db2ins35 db2iadm 256 Nov 16 09:45 .
drwxr-xr-x 12 db2ins35 db2iadm 4096 Nov 16 09:45 ..
-rw------- 1 db2ins35 db2iadm 0 Nov 16 09:37 ccardskeystore.p12
-rw------- 1 db2ins35 db2iadm 129 Nov 16 09:37 ccardskeystore.sth
>>>>> as you can see, p12 file and stash file are created
1-3. update the dbm cfg for keystore file
/home2/db2ins35/tst_encrypt> db2 "update dbm cfg using keystore_type pkcs12 keystore_location /home2/db2ins35/tst_encrypt/ccardskeystore.p12"
DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
/home2/db2ins35/tst_encrypt> db2 get dbm cfg | grep -i keystore
Keystore type (KEYSTORE_TYPE) = PKCS12
Keystore location (KEYSTORE_LOCATION) = /home2/db2ins35/tst_encrypt/ccardskeystore.p12
>>>>> you can check keystore related configurations are updated.
2. create database with 'ENCRYPT' option
- By creating DB with ENCRYPT option, a master key for the database is automatically generated and added to the keystore file.
- Encrypting data "in place" is not supported. To encrypt an existing database, create a database backup image and then restore that image into a new database with encryption enabled.
2-1. create db mydb encrypt
/home2/db2ins35/tst_encrypt> db2 create db mydb encrypt
DB20000I The CREATE DATABASE command completed successfully.
2-2. automatically ENCRLIB and ENCROPTS are updated.
/home2/db2ins35/tst_encrypt> db2 get db cfg for mydb | grep -i encr
Encryption Library for Backup (ENCRLIB) = libdb2encr.a
Encryption Options for Backup (ENCROPTS) = CIPHER=AES:MODE=CBC:KEY LENGTH=256
Encrypted database = YES
For more information about keystore, master key, stash file, encryption configuration parameters and so on, please check the following link.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
UID
ibm13286179