Technical Blog Post
Abstract
Hands-on example for a new encrypted database
Body
For DB2 native database encryption, we have the following link but we do not have exact command output and cfg samples for this.
Therefore, I am sharing actual output of the commands for the database encryption and files by the commands.
As written in the link above, we should follow the steps below to make a new encrypted database.
-------------------------------------------
1. create keystore file(key database)
2. create database with 'ENCRYPT' option.
-------------------------------------------
Let me elaborate the detail of those 2 steps above.
1. create keystore file(key database)
1-1. create keystore file with stash file
$ /home2/db2ins35/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db ccardskeystore.p12 -pw Str0ngPassw0rd -strong -type pkcs12 -stash
1-2. stash files and keystore file
/home2/db2ins35/tst_encrypt> ls -al
total 16
drwxr-xr-x 2 db2ins35 db2iadm 256 Nov 16 09:45 .
drwxr-xr-x 12 db2ins35 db2iadm 4096 Nov 16 09:45 ..
-rw------- 1 db2ins35 db2iadm 0 Nov 16 09:37 ccardskeystore.p12
-rw------- 1 db2ins35 db2iadm 129 Nov 16 09:37 ccardskeystore.sth
>>>>> as you can see, p12 file and stash file are created
1-3. update the dbm cfg for keystore file
/home2/db2ins35/tst_encrypt> db2 "update dbm cfg using keystore_type pkcs12 keystore_location /home2/db2ins35/tst_encrypt/ccardskeystore.p12"
DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.
/home2/db2ins35/tst_encrypt> db2 get dbm cfg | grep -i keystore
Keystore type (KEYSTORE_TYPE) = PKCS12
Keystore location (KEYSTORE_LOCATION) = /home2/db2ins35/tst_encrypt/ccardskeystore.p12
>>>>> you can check keystore related configurations are updated.
2. create database with 'ENCRYPT' option
- By creating DB with ENCRYPT option, a master key for the database is automatically generated and added to the keystore file.
- Encrypting data "in place" is not supported. To encrypt an existing database, create a database backup image and then restore that image into a new database with encryption enabled.
2-1. create db mydb encrypt
/home2/db2ins35/tst_encrypt> db2 create db mydb encrypt
DB20000I The CREATE DATABASE command completed successfully.
2-2. automatically ENCRLIB and ENCROPTS are updated.
/home2/db2ins35/tst_encrypt> db2 get db cfg for mydb | grep -i encr
Encryption Library for Backup (ENCRLIB) = libdb2encr.a
Encryption Options for Backup (ENCROPTS) = CIPHER=AES:MODE=CBC:KEY LENGTH=256
Encrypted database = YES
For more information about keystore, master key, stash file, encryption configuration parameters and so on, please check the following link.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
UID
ibm13286179