To restore a backup image to a different system, the local keystore file on that system
must have the master key that is used by all the entities that are involved in the restoration. The
entities include the backup image and potentially the transaction log files from the source system.
If the database on the target system is also to be encrypted, it too needs to reference a master key
in the local keystore file on the target system.
About this task
A simple way to achieve this goal is to copy the keystore file
securely from the source system to the target system. If needed, add a new master key to the target
system for the new copy of the database. You can also copy the needed master keys to the target
system and then add them to the local keystore file.
Procedure
The procedure depends on the security protocol:
-
When the source system keystore file is to be copied to the target system:
- Use a secure copy protocol such as SCP to copy the keystore and its associated stash
file from System A to System B. An SCP is available with most Secure Shell (SSH) implementations.
- Update the value of the keystore_location database manager configuration parameter to
point to the copied keystore on System B.
- If a new master key is wanted for the new database copy:
- Have the System B administrator add the new master key for the database copy to the keystore on
System B.
- Have the System B administrator restore the backup image on System B, specifying the new master
key on the restore command:
db2 restore database <database_name> encropts 'Master
Key Label=<systemB_admin_label>'
encrypt cipher aes key length <key_length_in_bits>
- If using the same master key as the original database for the new copy, restore the
backup image on System B:
db2 restore database <database_name> encrypt;
-
When the source system keystore file is not going to be used for the new system:
-
Add a new master key for the backup:
- Add a new master key to the local keystone file on the source system for use
by the backup.
- Generate an encrypted backup on System A:
db2 backup database <database_name>
encrypt encrlib 'db2encr.dll'
encropts 'Master Key Label=<label_backup_admin>'
- Extract the newly created master key from the key database:
gsk8capicmd_64 -secretkey -extract -db <source-key-database-path> -stashed -label <label_backup_admin> -format ascii -target <extracted-key-file>
- Send the secret key file for the backup master key securely to the System B
administrator.
- Have the System B administrator add the key to the keystore on System B:
gsk8capicmd_64 -secretkey -add -db <destination-key-database-path> -stashed -label <label_backup_admin> -format ascii -file <extracted-key-file>
Note: When adding the secret key used to encrypt the backup to the destination key database, the
label used must be identical to the label of the secret key in the source key
database.
- If a new master key is wanted for the new database copy:
- Have the System B administrator add the new master key for the database copy to the keystore on
System B.
- Have the System B administrator restore the backup image on System B specifying the new master
key on the restore command:
db2 restore database <database_name> encropts 'Master Key Label=<systemB_admin_label>'
encrypt cipher aes key length <key_length_in_bits>
- If using the same master key as the backup for the database new copy, restore the
backup image on System B:
db2 restore database <database_name> encrypt;