Technical Blog Post
Abstract
DB2LUW Simple steps to do backup/restore with Native Encrypted database
Body
Creating this blog entry as I noticed there are confusions in place on how to simply backup a native encrypted db2
database and restore it to a different place.
There are good documents in IBM site where steps are there when backup itself to be encrypted, or steps might not have specific details,
Example,
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0070021.html
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0070099.html
https://www.ibm.com/developerworks/data/library/techarticle/dm-1504-master-encrypted-keys/index.html
I just wanted to document a simple case with basic command syntax when a general backup and restore is the need.
================================================================================
Export the Encryption Key from source :
db2 connect to <source-db-name>
db2 -x "select master_key_label from table(sysproc.admin_get_encryption_info());"
This will give a result with a long key level which is used in export of the appropriate item from the keystore using the full path to the binaries so the proper gskit libraries are referenced:
An example,
<source-inst-home>/sqllib/gskit/bin/gsk8capicmd_64 -cert -export -db <key-store-file-location>/<key-store-file-name> -stashed -label <the-long-level-from-last-command> -target thedb.key
NOTE The thedb.key is not password-protected and does contain the encryption key that would allow your database to be restored elsewhere. Take appropriate precautions when storing or moving it.
Then backup the db from source :
db2 backup database <db-name>
Copy the thedb.key and backup image file to the target box and keep in a temp path.
Import the key in target from temp path to the local existing key store.
<target-inst-home>/sqllib/gskit/bin/gsk8capicmd_64 -cert -import -db <temp-path>/thedb.key -target <target-key-store-path>/<target-key-store-file-name> -target_stashed
Then, run the restore with the target db :
db2 restore db <db-name> encrypt
====================================================================================
If there are no databases in target then just need to copy the entire keystore file from source to target and run simple backup and restore with just encrypt option for the restore.
UID
ibm11139920