Adding a master key to a local keystore

With Db2® native encryption, when you create a database with the ENCRYPT parameter, by default the database manager creates a new master key for the database and adds that master key to the keystore. Alternatively, you can generate a master key in a local keystore yourself, and then specify that your generated master key should be used for a new database instead of the default.

Procedure

Generate a master key in an existing, local keystore by issuing the gsk8capicmd_64 command.

Example


gsk8capicmd_64 -secretkey -create -db "/home/thomas/keystores/ne-keystore.p12" 
    -stashed -label "my_manual_master_key" -size "16"

Basic syntax


gsk8capicmd_64 -secretkey -create -db "<keystore-file-name>"
    [-pw "<password>" | -stashed ]
    -label "<label>" -size "<key-length-in-bytes>"

<keystore-file-name> is the full path and name of the keystore file
If the keystore password is stashed, you can specify the -stashed parameter to cause the password to be retrieved from the stash file
If the password is not stashed, you may specify the password with the -pw parameter
If neither -stashed nor -pw is specified, you will be prompted for the keystore password

For information about the full syntax of the gsk8capicmd_64 command, see the GSKCapiCmd User Guide.