Db2 native encryption

Db2 native encryption provides a built-in encryption capability to protect database backup images and key database files from inappropriate access while they are at rest on external storage media.

Important:

In response to CVE-2023-32342, for connections to KMIP key managers, Db2 releases with KI DT223175 will use the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange by default, as the FIPS certified IBM Crypto for C (ICC) is vulnerable to CVE-2023-32342.

Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 will disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.

The following restrictions will apply to connections to KMIP key managers when strict mode is enabled in Db2 releases that contain KI DT223175:
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) will be disabled. All supported ECDHE ciphers will be enabled. For instances using RSA certificates, Db2 will automatically prefer TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
  • TLS 1.3 is unaffected by CVE-2023-32342
Enabling strict FIPS mode is done by setting the DB2AUTH registry variable to STRICT_FIPS. If the DB2AUTH variable is already set, multiple options can be separated by commas. For further details on strict FIPS mode, refer to Industry Standards

Encryption is a key component in the protection of offline data. Many government regulations and industry standards require its use.

Db2 native encryption features:
  • simple deployment
  • does not require changes to the data schema or database applications
  • free use on all supported Db2 platforms and configurations.
The encryption capabilities that are used by Db2 are FIPS 140-2 certified and employ NIST SP 800-131A compliant cryptographic algorithms. Db2 also automatically detects and uses any underlying CPU hardware acceleration for encryption when available.
When you encrypt a database, Db2 native encryption protects all files that contain your data, such as:
  • All table spaces (both system-defined and user-defined)
  • All types of data in a table space (including LOB and XML data types)
  • All transaction logs, including archived log files
  • LOAD COPY data
  • LOAD staging files
Db2 native encryption can also be used to encrypt database backups, even if the source database is not encrypted.