Adding a master key to a local keystore
With Db2® native encryption, when you create a database with the ENCRYPT parameter, by default the database manager creates a new master key for the database and adds that master key to the keystore. Alternatively, you can generate a master key in a local keystore yourself, and then specify that your generated master key should be used for a new database instead of the default.
Procedure
Generate a master key in an existing, local keystore by issuing the gsk8capicmd_64 command.
- Example
-
gsk8capicmd_64 -secretkey -create -db "/home/thomas/keystores/ne-keystore.p12" -stashed -label "my_manual_master_key" -size "16"
- Basic syntax
-
gsk8capicmd_64 -secretkey -create -db "<keystore-file-name>" [-pw "<password>" | -stashed ] -label "<label>" -size "<key-length-in-bytes>"
- <keystore-file-name> is the full path and name of the keystore file
- If the keystore password is stashed, you can specify the
-stashed
parameter to cause the password to be retrieved from the stash file - If the password is not stashed, you may specify the password with the
-pw
parameter - If neither
-stashed
nor-pw
is specified, you will be prompted for the keystore password
For information about the full syntax of the gsk8capicmd_64 command, see the GSKCapiCmd User Guide.