Technical Blog Post
Master Key rotation in pureScale
In purescale, when you rotate the “Master Key” on one member, it does not immediately reflect on other members, when you check it with db2pd -enc command.
1> Suppose Master key rotation is achieved using below command on member 0 :
db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)"
Value of output parameter
Parameter Name : LABEL
Parameter Value : DB2_SYSGEN_xxxxxx_xxxx_2018-08-11-11.18.52
Return Status = 0
Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-08-11-11.18.52
Master Key Rotation Timestamp: 2018-08-11-11.18.52.000000
Previous Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-03-04-05.34.25
3> Checking it on other member :
MEMBER 1 $ db2pd -db psdb -enc
Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-03-04-05.34.25
Master Key Rotation Timestamp: 2018-03-04-05.34.25.000000
Previous Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2017-10-17-14.47.11
One of our customer did a Deactivate/Activate DB after which the member 1 also reflected the new Master key in db2pd -enc command.
Is it needed ? Why doesn't the new master key get reflected in other members right away ?
When you next rotate the database Master Key in purescale, use the following command first to check the key rotation on the "other” member instead of db2pd :
db2 "select OBJECT_TYPE, OBJECT_NAME, MASTER_KEY_LABEL, ROTATION_TIME from table(sysproc.admin_get_encryp
It should show that the master key has been rotated properly. db2pd -enc on both/all members should then match when run afterwards.
db2pd -enc looks at an in-memory copy of the encryption information. It will not be refreshed on other member/s until it is needed, such as when transactions/logs are being committed to disk, you are querying the encryption info table function, or during database activation.
A lack of activity on the other member explains the situation and the db2pd -enc showing old value from memory.