ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA

7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA

1/84

2015 IBMCorporation

Exploring IBM DB2Encryption Technology

Presenter: Marcin BasterDB2 LUW Advanced Support Analyst

IBM Analytic Platform Client Success and Smarter Support


2/84

2015 IBMCorporation

2

Disclaimer

The information contained in this presentation is provided for informational purposes only.

While efforts were made to verify the completeness and accuracy of the information contained in thispresentation, it is provided as is, without warranty of any kind, express or implied.

In addition, this information is based on IBMs current product plans and strategy, which are subject to

change by IBM without notice.

IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, thispresentation or any other documentation.

Nothing contained in this presentation is intended to, or shall have the effect of:

Creating any warranty or representation from IBM (or its affiliates or its or their suppliers and/orlicensors); or

Altering the terms and conditions of the applicable license agreement governing the use of IBMsoftware.

Performance is based on measurements and projections using standard IBM benchmarks in acontrolled environment. The actual throughput or performance that any user will experience will vary

depending upon many factors, including considerations such as the amount of multiprogramming in theuser's job stream, the I/O configuration, the storage configuration, and the workload processed.Therefore, no assurance can be given that an individual user will achieve results similar to those stated

here.


3/84

2015 IBMCorporation

March 26, 2015

PART ONE

Encryption highlights


4/84

2015 IBMCorporation

Agenda

IBM DB2 Encryption Offering Data encryption requirements Offering overview Functionality Highlights

Encryption overview Encryption keys, algorithms, and security strengths Encryption key managment

Key management GSKit Overview Keystore and key creation, deletion, reporting, exporting, and importing

Encrypting databases

Backup and restore

Utilities, diagnostics and other considerations


5/84


6/84

2015 IBMCorporation

Data Encryption Requirements

Meet compliance requirements Industry standards such as PCI DSS Regulations such as HIPAA Corporate standards

Protect against threats to online data Users accessing database data outside the scope of the DBMS

Protect against threats to offline data Theft or loss of physical media

Reduce the cost of security and compliance No third-party add-on tools required Easy to consume by DB2 bundlers such as ISVs


7/84

2015 IBMCorporation

IBM DB2 Encryption Offering

Simple to deploy in cloud, software, or appliance

Encrypts online data and backups

Transparent No application or schema changes

Built-in secure and transparent key management

Compliant, e.g. NIST SP 800-131 compliant cryptographic algorithms Uses FIPS 140-2 certified encryption

Runs wherever DB2 runs!

Exploits available HW acceleration (AES encryption only) Intel supported


8/84

2015 IBMCorporation

IBM DB2 Encryption Offering Licensing

License available for these editions:

DB2 Enterprise Server DB2 Workgroup Server DB2 Express Server

Included in these Editions

DB2 Advanced Enterprise Server DB2 Advanced Workgroup Server Express-C


9/84

2015 IBMCorporation

Create database Highlights

Encrypting a new database is as simple as using the new ENCRYPT option

CREATE DATABASE mydb ENCRYPT

Default is AES 256

Other Algorithms and key lengths are possible

CREATE DATABASE mydb ENCRYPT CIPHER AES KEY LENGTH 128

CREATE DATABASE mydb ENCRYPT CIPHER 3DES KEY LENGTH 168


10/84

2015 IBMCorporation

Backup highlights

Leverages existing interface for calling out to an external library

Same encryption algorithm choices as for database

Non-encrypted databases can also have backups encrypted

Automated backup encryption through use of new ENCRLIB/ENCROPTSdatabase configuration parameters

Use of encryption for backups enforced by SECADM Automation turned on by default when an encrypted database is created


11/84

2015 IBMCorporation

Key Management Highlights

Industry standard 2-tier model Actual data is encrypted with a Data Encryption Key (DEK) DEK is encrypted with a Master Key (MK)

DEK is managed within the database, MK is managed externally

MK is stored within a PKCS#12 compliant keystore

Encrypted keystore file containing master keys

Keystore backup is the responsibility of the customer

Support for master key rotation through new procedure

ADMIN_ROTATE_MASTER_KEY()


12/84

2015 IBMCorporation

Database Objects that are Encrypted

All user data in a database is encrypted All table spaces (system defined and user defined) All types of data in a table space (LOB, XML, etc. ) All transaction logs including logs in the archives

All LOAD COPY data All LOAD staging files All dump .bin files All backup images

Additional objects that are encrypted

Encryption keys in memory, except for the time they are actually used Keystore passwords when transparently communicated from one member/ partition to

another upon restart


13/84

2015 IBMCorporation

March 26, 2015

PART TWO

Encryption overview


14/84

2015 IBMCorporation

Encryption Key

The sequence that controls the operation of thecryptographic algorithm

The number of bits in a key is called key length

The length of the key reflects the difficulty to decrypt a plaintext encrypted

with that key

A 256 bit key has 2

256

distinct values in its key space

Encryption EncryptionPlaintext PlaintextCiphertext

Key Key


15/84

2015 IBMCorporation

Symmetric Encryption Algorithms

A cryptographic algorithm that uses the same key for both encryption anddecryption

AES and 3DES are the most famous symmetricencryption algorithms

Encryption

Original MessageEncrypted Message

Secret Key

Decryption

Encrypted Message Original MessageSecret Key


16/84

2015 IBMCorporation

Asymmetric Encryption Algorithms

A cryptographic algorithm that uses one key for encryption and another keyfor decryption

The encryption key is called a public key The decryption key is called a privatekey

The public key and private key are different butmathematically related

It is not feasible to derive the private key from the public key in anyreasonable time

RSA, ECC, and Diffie-Hellman are the most famous examples

Encryption EncryptionPlaintext PlaintextCiphertext

Public Key Private Key


17/84

2015 IBMCorporation

Approximate Equivalence in Security Strength

Symmetric Key

Length (AES)

Asymmetric Key

Length (RSA)

Asymmetric Key

Length (ECC)

- 1024 160

- 2048 224

128 3072 256

192 7680 384

256 15360 512


18/84

2015 IBMCorporation

Encryption Key Wrapping

The process of encrypting one key with another key

The key encrypting key is typically referred to as a master key

The master key is typically stored separately from the data system

The top drivers for this 2- tier encryption approach are:

Security: Compromise of the data system does not mean compromise of the data asthe master key is stored outside the data system

Performance: Complying with key rotation requirements does notmean re-encryptingthe actual data; only the data encryption key is re-encrypted with a new master key

DB2 Implements the industry standard 2-tier model Actual data is encrypted with a Data Encryption Key (DEK) DEK is encrypted with a Master Key (MK)


19/84

2015 IBMCorporation

Encryption Key Management

Refers to the secure management of keys during their lifecycle Creation, distribution, expiration, deletion, backup, restore, etc. Protection of encryption keys including access control and encryption

Public Key Cryptography Standard (PKCS) #12: A password-protected keystore with a format for storing encryption keys Local keystore file Stores master keys Might recognize this as keystore for SSL certificates


20/84

2015 IBMCorporation

PassW0rd

Master Key and Data Key Relationships

A Keystore is created locally and has a strong password associated with it:

Keystore

Master Keys with Labels are created in order to encrypt database keys:

The keystore must be available to the DB2instance in order to get the Master Keysrequired for encryption and decryption.

SECRET.DB2INST1.2015.02.01

Key Label Key

Keystore

DB2 can generate Master Keys andLabels automatically for the user.

Creating your own labels will requirethat you generate an encryption key.

Database Keys are generated internally by DB2 and are used to encrypt the database:

DB2 Key SECRET.DB2INST1.2015.02.01

Key Label Key

The DB2 encryption key is itselfencrypted within the database imageby using the Master Key found within

the keystore.


21/84

2015 IBMCorporation

March 26, 2015

PART TWO

Master Key Management


22/84

2015 IBMCorporation

IBM Global Security Kit

DB2 Encryption uses the IBM Global Security Kit (GSKit) forkey management and encryption

This component is installed as part of DB2 Located in the /sqllib/gskit directory

GSKit libraries are used to create, store, and manage the keys required for encryptingdatabases FIPS 140-2 certified encryption library gsk8capicmd_64 is command line tool to manage the keystore

Three GSKit command options are used for manipulating keys keydb

Used to create a keystore for use by DB2

secretkey Use for add master key labels to a keystore

cert Used for listing, deleting, importing, and exporting master key labels


23/84

2015 IBMCorporation

Creating a Keystore (keydb)

A keystore must be created and registered before using encryption A keystore must be created using the gsk8capicmdcommand gsk8capicmd_64 keydb create[-drop] db pw strong type stash

Parameters

Example gsk8capicmd_64 -keydb create -db ~/db2/db2keys.p12 -type pkcs12

-pw "Str0ngPassw0rd"

-strong -stash

Keyword Use

-keydb Indicates that the command will apply to a keystore.

-create or -drop Create (or drop) a keystore.

-db Keystore filename. The keystore must be available to the DB2 instance.

-type Must be pkcs12.

-pw Password for the keystore (at least 14 characters long when -strong is used).

-strong Check that the password is non-trivial.

-stash Create a stash file to allow for commands to run without prompting for password.


24/84

2015 IBMCorporation

Stash File Considerations

When the -stash option is specified during the create action, an obfuscatedversion of the keystore password is stashed in a file:

.sth

A stash file is used as an automatic way of providing a password If a keystore password was not provided during db2start, the password will be retrieved

from the stash file

The stash file can only be read by the instance owner

Not stashing the password enhances security if the instance owner account becomescompromised

This additional security must be weighed against any requirements that the DB2instance can start without human intervention

If the password is not stashed, you cannot access an encrypted database until you

provide the keystore password.


25/84

2015 IBMCorporation

Starting DB2 without a Stash File

DB2 will start normally (no error condition returned) if a stash file is notpresent in the system

Database activation, or applications connecting to encrypted databases will

encounter an error condition:

SQL1728N The command or operation failed because the keystore could not be

accessed. Reason code "3".

The db2startcommand must be re-executed with the open keystoreoption to enable access to encrypted databasesdb2start open keystore USING KeySt0rePassw0rd

To avoid placing the password on the command line:

db2start open keystore will prompt for password For scripts of other executables, supply the password through either a

temporary file or open file descriptordb2startopen keystore PASSARG FILENAME: | FD:


26/84

2015 IBMCorporation

Creating Master Keys

DB2 will generate master keys for you automatically during: Database Creation Key rotation Restoring into a new database

DB2 master keys are always AES 256-bit This key is used to encrypt the database key, not the actual database

You may want to create a key with a specific label for a number

of reasons: You want to keep track of the Master Key Labels and their corresponding keys for

offsite recovery without having the entire keystore available on thebackup site

You have an HADR pair that must have synchronized keys You are encrypting a backup for an unencrypted database


27/84

2015 IBMCorporation

Creating a Master Key Label

A keystore must be created before adding a Master Key Label Also require write access to the keystore The gsk8capicmdis used to create a new master key gsk8capicmd_64 secretkey add db label file -stashed

Parameters

Examplegsk8capicmd_64 secretkey add -db ~/db2/db2keys.p12 -label secret.key

-stashed

-file ~/db2/mysecretkey

Keyword Use

-secretkey Indicates that the command will insert a new master key into an existing keystore

-add Add a key to the keystore (Note: You can't drop a key using this command)

-db Keystore filename

-label Name of the master label (text string)

-pw Password for the keystore if the stash file is not available

-file Location of the AES key that will be used to encrypt the database key

-stashed Use the stashed password to access the keystore


28/84

2015 IBMCorporation

Generating an AES Key for a Master Key Label

A secret key needs to be generated by the user before adding a master keyto the keystore

The secret key is used to encrypt the database key The strength of the secret key has no relationship to the actual encryption that takes

place within the database Recommendation is to use the highest level of AES encryption (256) for the database

key (same as DB2) Overhead is insignificant since the database key is not frequently decrypted

Generating a random key A key needs to be 16, 24, or 32 bytes wide Corresponds to 128, 192, or 256-bit AES keys

On Linux, UNIX, and AIX use the following command to generate a 32-byte randomstring (which represents a 256-bit AES key)head c 32 /dev/random >~/db2/mysecretkey


29/84

2015 IBMCorporation

Delete or List Master Key Labels

You can delete a master key or query the contents of a keystore by using thecert option of the GSKit commandgsk8capicmd_64 cert [-list|-delete]

Parameters

Examplesgsk8capicmd_64 cert list -db ~/db2/db2keys.p12 stashed

gsk8capicmd_64 cert delete db ~/db2/db2keys.p12 -stashed

-label secret.key

Common Keywords Use

-db Absolute location of the keystore



Delete Use

-delete -label Name of the master key label (text string)

List Use

-list List all of the master keys in the keystore


30/84

2015 IBMCorporation

Exporting a Master Key Label

A secure method of moving a key (to import to another keystore) involvesthe use of the cert option of the GSKit command

gsk8capicmd_64 cert -exportdb label target target_pw

Parameters

Examplegsk8capicmd_64 cert export -db ~/db2/db2keys.p12 -stashed

-label secret.key target ~/db2/exportedkey.p12 target_type pkcs12

-target_pw Str0ngPassw0rd

Keywords Use

-export Tells the command to export a master key into a file

-db Absolute location of the keystore



-label Name of the master key label (text string)

-target Name of the file to place the contents of the keystore into

-target_pw Password used to encrypt this file

-target_type Type of file (pkcs12)


31/84

2015 IBMCorporation

Importing a Master Key Label

The import option on the cert command is used to import the master keyinto an existing keystore (usually at a backup site)

Note that the target file is the keystore on the backup systemgsk8capicmd_64 cert -importdb label target target_pw

Parameters

Examplegsk8capicmd_64 cert import -db ~/db2/exportedkey.p12 -stashed

-pw Str0ngPassw0rd -label secret.key

target ~/db2/db2keys.p12 target_type pkcs12

Keywords Use

-import Tells the command to import a master key into a file

-db Absolute location of the key that we want to import (not the current keystore)


-pw Password for the key that we exported from the original keystore-label Name of the master key label that we want to import

-target Name of the local keystore file to place the contents of the master key into.

-target_pw Password for the keystore file, but you can use the stashed option

-target_type Type of file (pkcs12)


32/84

2015 IBMCorporation

Registering the Keystore in DB2

After creating a keystore file, the DB2 instance must be updated with thelocation and type of keystore

Two new configuration parameters KEYSTORE_TYPE Type of keystore being used (either NULLor PKCS12) KEYSTORE_LOCATION Absolute location of the keystore (or NULLif none)

A DB2 instance can only have one keystore The system could have keystores for other applications, but DB2 only supports one

keystore at the instance level

Best practice is to update both parameters simultaneouslyUPDATE DBM CFG USING

KEYSTORE_TYPE PKCS12

KEYSTORE_LOCATION "/home/db2inst1/db2/db2keys.p12"

To remove a keystore from an instance, set the values toNONEandNULL

UPDATE DBM CFG USING KEYSTORE_TYPE NONE KEYSTORE_LOCATION NULL


33/84

2015 IBMCorporation

March 26, 2015

PART TWO

Encrypting DB2 Databases


34/84

2015 IBMCorporation

Encrypting Online Data

Once the keystore has been created and registered, and (optional) a masterkey created, you can encrypt a database

Encryption can be requested via a new option on the CREATE DATABASE

command:

CREATE DATABASE mydb ENCRYPT;

The default encryption is AES 256, but users can select other algorithms and

key lengths if they so desire

CREATE DATABASE mydb

ENCRYPT CIPHER AES KEY LENGTH 128;

CREATE DATABASE mydb

ENCRYPT CIPHER 3DES KEY LENGTH 168;CREATE DATABASE mydb

ENCRYPT CIPHER AES KEY LENGTH 256

MASTER KEY LABEL mylabel;


35/84

2015 IBMCorporation

Encryption Options

The ENCRYPT keyword has three options CIPHER

This is the type of encryption to use AES (Advanced Encryption standard) or 3DES (Triple Data Encryption Standard) AES is the default if CIPHER is not specified

AES is implemented in some hardware so potentially more efficient to use KEY LENGTH

For AES encryption this can be 128, 192, or 256 bits Default length is 256 for AES, and it can only be 168 for 3DES

MASTER KEY LABEL

The name of the master key found within the keystore that will encrypt the databaseencryption key

A master key label is optional DB2 will generate a master key if one is not supplied on the CREATEDATABASE

command The name of the generated master key is:

DB2_SYSGEN___


36/84

2015 IBMCorporation

Determine Current Database Encryption Settings

The SYSPROC.ADMIN_GET_ENCRYPTION_INFOtable function can be used todetermine the encryption settings for a database

Column Contents

ALGORITHM Encryption algorithm used

ALGORITHM_MODE Encryption algorithm mode used

KEY_LENGTH Encryption key length

MASTER_LEY_LABEL Master key label associated with the master key used

KEYSTORE_NAME Absolute path of the keystore file location

KEYSTORE_TYPE Type of keystore

KEYSTORE_HOST Host name of the server where the keystore file is located

KEYSTORE_IP IP address of the server where the keystore file is located

KEYSTORE_IP_TYPE Type of the IP address of the keystore (IPV4 or IPV6)

PREVIOUS_MASTER_KEY_LABEL Master key label before the last master key rotation took place - If a master key rotation has not occurred,this value is the master key label

ROTATION_TIME Timestamp when the last master key rotation took place

AUTH_ID Authorization ID that was used during the last master key rotation


37/84

2015 IBMCorporation

Key Rotation

The process of changing encryption keys for compliance purposes It requires decrypting any key encrypted with the old key and then re- encrypting it with

the new key The data does not get re-encrypted!

The key rotation frequency depends on the compliance driver This generally ranges from once every 3 months to once per year

The key rotation requirement can be thought of as analogous to the

requirement to change passwords every 90 days

DB2 Key


Key Label Master Key

The current Master Key is used toto decrypt the DB2 encryption key


Key Label Master Key

Now a new Master Key is used to encrypt

the DB2 encryption key

DB2 Key


38/84

2015 IBMCorporation

Key Rotation Procedure

The SYSPROC.ADMIN_ROTATE_MASTER_KEYprocedure can be used tochange the database key to comply with key rotation requirement

You must be connected to the database to run this command

CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('newMasterKeyLabel')

The SYSPROC.ADMIN_ROTATE_MASTER_KEYprocedure re-encrypts thedatabase key with the new master key

DB2 will automatically generate the new master key unless you override it

with a key label

Key rotation is logged in the db2diag.log file:

grep A 3 "Key Rotation" ~/sqllib/db2dump/db2diag.log

Key Rotation successful using label:

DATA #2 : String, 46 bytes

DB2_SYSGEN_db2inst1_SECRET_2015-02-09-05.03.12


39/84

2015 IBMCorporation

March 26, 2015

PART TWO

Backup and Restore Using Encryption

B k E ti S tti


40/84

2015 IBMCorporation

Backup Encryption Settings

Two database parameters can be used to automatically control theencryption of backups

ENCRLIB Which encryption library to use ENCROPTS What options to pass to the encryption routine

ENCRLIB is set to one of the following values (full path required)

ENCROPTS is a string with the following optional values Each option is separated by a colon (:) in the string (Cipher=AES:Length=256)

Operating System Compression Encryption Both

Windows db2compr.dll db2encr.dll db2compr_encr.dll

Linux libdb2compr.so libdb2encr.so libdb2compr_encr.so

AIX libdb2compr.a libdb2encr.a libdb2compr_encr.a

Option Purpose Values

Cipher Type of encryption algorithm to use AES, 3DES

Length Length of the encryption key AES: 128, 192, 256 3DES: 168

Master Key Label Optional name of the Master Key Label used to encrypt the database key String

B k E ti S tti f E t d D t b


41/84

2015 IBMCorporation

Backup Encryption Settings for Encrypted Databases

ENCRLIB and ENCOPTS are automatically set when a new database iscreated with encryption

Both values are set according to the ENCRYPToptions that were used at databasecreation time

Any database backup will be encrypted automatically with these setting No requirement for additional encryption keywords on the BACKUPcommand Only a SECADMcan override the database encryption parameters

Overriding the backup encryption level requires that SECADM update the

ENCROPTS settings A database backup can have a different level of encryption than the

database itself The ENCROPTScan also be set manually on the BACKUPcommand but that would

require that the database ENCROPTSparameter be set toNULL

Supplying no ENCROPTSon the BACKUPwould result in default encryption settings(AES 256) Setting ENCRLIBtoNULLand ENCROPTStoNULLwill allow the DBA to backup the

database with NO ENCRYPTION

Back p Encr ption Settings for Normal Databases


42/84

2015 IBMCorporation

Backup Encryption Settings for Normal Databases

ENCRLIB and ENCROPTS can be set to for databases that have noencryption settings

Set the values according to the ENCRLIBand ENCROPTSoptions that you want for thedatabase

Once these parameters are set by the SECADM, they "lock in" the encryption of thebackup

The backup options cannot be overridden on the BACKUP command unlessENCROPTSis null (for encryption options) or ENCRYPTis null for no encryption

Setting ENCRLIB/ENCROPTS at the database level ensures that backups willalways be encrypted DBAs can run the BACKUP command with no additional options required

for encryption

Example:BACKUP DATABASE SECRET TO /HOME/DB2INST1/DB2

ENCRYPT ENCRLIB 'libdb2encr.so'

ENCROPTS 'Cipher=AES:Key Length=256'

Backup Encryption Summary


43/84

2015 IBMCorporation

Backup Encryption Summary

The following chart summarizes the combination of settings of ENCRLIBand ENCROPTS that result in encrypted backups

If ENCRLIBis set, backups will always be encrypted DBAs can only override the level of backup encryption if ENCROPTSis

set toNULL A backup will be decrypted when ENCRLIBand ENCROPTSareNULL

Restoring Encrypted Backup to an Existing Database


44/84

2015 IBMCorporation

Restoring Encrypted Backup to an Existing Database

Restoring a backup by replacing an existing database requires no specialparameters

Keystore must contain the master key label that was used to generate this backupcopy

Standard databases with an encrypted backup would restore back to an unencryptedcopy

RESTORE DATABASE SECRET FROM /home/db2inst1/db2

RESTORE will use the existing database encryption settings to encrypt the

data being restored The encryption settings can not be changed when restoring into an existing database

Restoring Encrypted Backup to an New Database


45/84

2015 IBMCorporation

Restoring Encrypted Backup to an New Database

Restoring a backup to a new copy of the database requires that theENCRYPT parameter be added to the command

DB2 needs to create the database before restoring the encrypted copy, and without theENCRYPTkeyword, the database would not be secure

Parameters for the ENCRYPTkeyword are identical to creating anencrypted database

RESTORE DATABASE SECRET FROM /home/db2inst1/db2

ENCRYPT

CIPHER AES

KEY LENGTH 128

MASTER KEY LABEL secret.key

Encryption settings can be different from the backup copy settings The parameters used with the ENCRYPToption can specify a different cipher, key

length, or master key label If you need to duplicate the exact encryption settings, use the show master key

detailsoption of the RESTOREcommand

Determining the Backup Encryption Settings


46/84

2015 IBMCorporation

Determining the Backup Encryption Settings

When restoring a backup as a new database, the database will need to becreated with encryption enabled

You can chose to change the cipher, key length, and master key label settings There is an option to query the encryption settings of the backup image

The RESTORE command can extract the backup encryption settings The RESTOREcommand with the showmasterkeydetailsoption will prompt the

user if they want to overwrite an existing copy of the database Accepting the overwrite will NOToverwrite the databaseRESTORE DATABASE SECRET FROM /home/db2inst1/db2

ENCROPTS 'show master key details'

Encryption information from the backup will be placed into the db2dumpdirectory

File with the following name will be generated .#....masterkeydetails You can then use ENCROPTS 'Master Key Label=xxx'option on the RESTORE

command to decrypt the backup with the proper master key

Backup/Restore Encrypted Database Examples


47/84

2015 IBMCorporation

Backup/Restore Encrypted Database Examples

Create, Backup, and Restore an Encrypted Database

CREATE DATABASE SECRET ENCRYPTBACKUP DATABASE SECRET ON /db2RESTORE DATABASE SECRET FROM /db2

Restore to a new copy of the Encrypted Database

RESTORE DATABASE SECRET FROM /db2 ENCRYPT

Restore to a new copy of the Encrypted Database with different encryption options

RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192

Restore to a new copy of the Encrypted Database with no encryption

RESTORE DATABASE SECRET FROM /db2 NO ENCRYPT

Extract the Master Key Label information from the backup image

RESTORE DATABASE SECRET FROM /db2 ENCRYPTENCROPTS 'show master key details'

Backup Encrypted Database with different ENCROPTS settings

UPDATE DATABASE CONFIG USING ENCROPTS NULL IMMEDIATEBACKUP DATABASE SECRET ON /db2 ENCROPTS 'Ciper=AES:Key Length=128'

Backup Encrypted Database with no encryption at all

UPDATE DATABASE CONFIG USING ENCRLIB NULL ENCROPTS NULL IMMEDIATEBACKUP DATABASE SECRET ON /db2

Backup/Restore Regular Database Examples


48/84

2015 IBMCorporation

Backup/Restore Regular Database Examples

Create, Backup, and Restore a Regular Database

CREATE DATABASE NOSECRETBACKUP DATABASE NOSECRET TO /db2RESTORE DATABASE NOSECRET FROM /db2

Restore to a new copy of the database and have it encrypted using the defaults

RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT

Restore to a new copy of the Encrypted Database with different encryption options

RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192

Backup a regular database using Encryption

BACKUP DATABASE NOSECRET TO /db2 ENCRYPT

ENCRLIB 'libdb2encr.so'ENCROPTS 'Cipher=AES:Key length=128:Master Key Label=secret.key'

Restore the Encrypted backup to a regular database

RESTORE DATABASE NOSECRET FROM /db2

Backup regular database using ENCRLIB and ENCROPTS settings

UPDATE DATABASE CONFIG USING ENCRLIB '/home/db2inst1/sqllib/lib/libdb2encr.so'

ENCROPTS 'Cipher=AES:Key length=128:Master Key Label=secret.key'BACKUP DATABASE NOSECRET TO /db2

Restoring an Encrypted Backup to a Different Server


49/84

2015 IBMCorporation

Restoring an Encrypted Backup to a Different Server

Create the database and do a backupCREATE DATABASE SECRET ENCRYPT

BACKUP DATABASE SECRET TO /primary

Extract the Master Key Label for the keystore

gsk8capicmd cert export db ~/db2/primary.p12 stashed -label secret.key target secret.p12

-target_type pkcs12 target_pw Str0ngPassw0rd

Copy the master key to the backup site and add the key to the backup site

keystore gsk8capicmd cert import db secret.p12 pw Str0ngPassw0rd

stashed -label secret.key

-target ~/db2/backup.p12

-target_type pkcs12

Restore the databaseRESTORE DATABASE SECRET FROM /backup


50/84

2015 IBMCorporation

March 26, 2015

PART TWO

Utilities, Diagnostics andSpecial Considerations

Migration of Existing Data


51/84

2015 IBMCorporation

Migration of Existing Data

Take a standard non encrypted backup of the database

Restore the backup into a new database using the newly added ENCRYPTclause to enable the desired encryption settings

Backup Restore

RESTORE DATABASE SECRET FROM /home/db2inst1ENCRYPT

CIPHER AES

KEY LENGTH 192

MASTER KEY LABEL secret.key

HADR Considerations


52/84

2015 IBMCorporation

Normally both primary and secondary databases are encrypted Possible to only have the primary or secondary encrypted On HADR startup, an admin warning message will be produced

Secondary site will be set up as new a database Specify encryption options as part of the RESTORE command Keystore needs to be available locally

Create keystore and master key label at primary and secondary site (The Master Key Label must be the same)

gsk8capicmd keydb create db ~/db2/db2keys.p12 type pkcs12 pw Str0ngPassw0rd strong stash

head c 32 /dev/random > ~/db2/secretkey.p12

gsk8capicm secretkey add db ~/db2/db2keys.p12 stashed label secret.key file ~/db2/secretkey.p12 Move keystore to secondary site, or export master key and import into secondary site

Update local and backup instance with the location and type of keystore

UPDATE DBM CONFIG USING

KEYSTORE_NAME /home/db2inst1/db2/db2keys.p12 KEYSTORE_TYPE PKCS12

Create the primary database using the master key label, setup HADR, and then backup the database

CREATE DATABASE SECERT ENCRYPT MASTER KEY LABEL secret.key Setup of HADR primary BACKUP DATABASE SECRET TO ~/db2

Restore to a new copy of the Encrypted Database at the secondary site

RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER MASTER KEY LABEL secret.key Setup of HADR standby

Tooling Changes


53/84

2015 IBMCorporation

g g

Tools with encryption support db2cklog db2flsn db2LogsForRfwd db2ckbkp db2adutl db2dart

These tools will use the keystore specified in the DBM CFGKEYSTORE_LOCATION parameter

Additional arguments used to connect to the keystore if the password isnot stashed-kspassword password

-kspassarg fd:file_descriptor

filename:file_name

-ksprompt

Database Encryption Scenario


54/84

2015 IBMCorporation

yp

Database Encryption Implementation Configure the keystore for the instance (one-time set-up) Specify encryption when creating a database Specify encryption when taking a backup (default for encrypted databases) Specify encryption when restoring a backup

Database Encryption Operational Management Regular backup and safe storage of the keystore Rotate the database master key as dictated by the compliance requirements If password protection of the keystore was selected, manage the password carefully

including changes as dictated by the compliance requirements

The customer is responsible for backingup the keystore!


55/84

2015 IBMCorporation

March 26, 2015

PART THREE

Deep Dive

GSKit Global Security Kit


56/84

2015 IBMCorporation

56 March 26, 2015

GSKit Global Security Kit

Encryption library provided to all IBM products from a team in Tivoli

Shared libraries and executables shipped with DB2 Currently used for existing encryption and SSL support Upgraded to new version 8.0.50.31

Use gsk8ver_64 to get version New version has support for secret keys required by this solution

Consult docs on how to set $PATHand $LD_LIBRARY_PATH For this solution, we are interested in the command line tool gsk8capicmd_64

to manage keystores

While not specific to this solution, the requirement of a new versionmight increase problems with interoperability with other products. Most likely manifest itself as a db2diag.log entry about missing functions, or

inability to load a GSKit library

PKCS12 Keystore


57/84

2015 IBMCorporation

57 March 26, 2015

PKCS12 Keystore

DB2 stores Master Keys outside of the database/instance

Stored in a PKCS12 keystore file on disk (.p12)

PKCS12 Public Key Crypto-system #12 RSA standards for public key cryptography

Keystore is always encrypted and the key is derived from a password

Contains both public and private (secret) keys referenced by a label Public keys SSL Secret Keys Native encryption

PKCS12 Keystore Stash File


58/84

2015 IBMCorporation

58 March 26, 2015

PKCS12 Keystore Stash File

A stash file contains an obfuscated version of the password It's NOT encrypted, it's similar to plaintext

Allows instance owner to access the keystore without providing thepassword

Permissions same as keystore, only accessible by the instance owner

Allows automated db2start, such as after a crash, to proceed without auser manually entering a password

Should provide sufficient security for majority of customers

Not mandatory, for those that feel it's inadequate, can manually enterpassword on db2start. Easy to recreate if you remember the password

PKCS12 Keystore Backing up the keystore


59/84

2015 IBMCorporation

59 March 26, 2015

PKCS12 Keystore Backing up the keystore

The customer is responsible for backing up the keystore and stash file

Failure to backup keystore can result in the inability to access allencrypted data, including logs and backups

Keystore must be backed up whenever a new key is added.

There is no backdoor for IBM to access data.

When DB2 inserts a new Master Key into the keystore, it logs an adminmessage to remind customer to backup

2015-01-12-12.03.57.408278 Instance:gstager Node:000

PID:20764(db2agent (instance)) TID:3443517760 Appid:*LOCAL.gstager.150112170356

bsu security sqlexInsertNewMasterKeyLabel Probe:519 Database:ADM8014W Backup the keystore.

PKCS12 Keystore- DBM CFG / Creation


60/84

2015 IBMCorporation

60 March 26, 2015

PKCS12 Keystore DBM CFG / Creation

Two new parameters tell DB2 about the keystore

KEYSTORE_TYPE PKCS12 KEYSTORE_LOCATION fully qualified path of the keystore

Creates the keystore.p12 file, along with keystore.sth stash file

gsk8capicmd_64 -fips true -keydb -create -db keystore.p12 -pw

Str0ngPassw0rd -strong -type pkcs12 -stash;

File permissions of keystore

When created, only the creator will have read/write permission

Instance owner should be the one to create it File permissions should never be changed


61/84

PKCS12 Keystore Manually creating a key


62/84

2015 IBMCorporation

62 March 26, 2015

PKCS12 Keystore Manually creating a key

Customer is responsible for secure random number generation

Example: head -c 32 /dev/random > mysecretfile

Must be exactly 128, 192 or 256 bits (16,24, or 32 bytes)

This is the level of AES encryption used to encrypt the DEK

gsk8capicmd secretkey add db ccardskeystore.p12

stashed label mylabel.mydb.myinstance.myserver

file mysecretkeyfile;

Common Label Problems


63/84

2015 IBMCorporation

63 March 26, 2015

Common Label Problems

Only specify a label when that label already exists in the keystore

For example, you can specify a master key label onADMIN_ROTATE_MASTER_KEY, but it must already exist in the keystoreor else and error SQL1729N will occur.

General rule is to never delete labels from a keystore Are you sure you don't need access to that 5 your old backup encrypted with

this label?

Key rotation does not guarantee current label has stopped being used. Mainexample is log file, only new log files will use new label.

For missing label, why do you expect the label to be available? Was the backup copied from another system, HADR Use the following to list labels in the keystore:

gsk8capicmd_64 -cert -list all -db keystore.p12 -stashed

Common label problems


64/84

2015 IBMCorporation

64 March 26, 2015

p

Don't create the same label multiple times, or re-create a label with a namealready used

Ex. Create A, delete A, then re-create A

Ex. Create label A in keystore 1, create label A in keystore 2, then backupdatabase using keystore 1, and restore using keystore 2

They might have the same label, but will have a different key. DB2 candetect this:

FUNCTION: DB2 UDB, bsu security, sqlexDecryptDEK, probe:0

MESSAGE : ZRC=0x805C08F4=SQLEX_MASTER_KEY_FOR_LABEL_CHANGED "The key for the master key label has changed."

checksum: 3026379365

version: 1

masterKeyLabel: mylabel.mydb.myinstance.myserver

masterKeyLength: 32

Most keystore problems reported as SQL1728N Bad values for KEYSTORE_LOCATION Bad file permissions Password required to open keystore

Accessing Keystore without a stash file


65/84

2015 IBMCorporation

65 March 26, 2015

g y

When a stash file is not used, a password must be provided to db2start toopen the keystore

db2start open keystore using

Can be done after DB2 has started, it will just update the password

Similarly if the password changes, just re-issue db2start

Sent to each member that is started during db2start

Example: db2start db2 connect to mydb

Fails with SQL1728 RC 3 password is missing db2start open keystore using thepassword (note no db2stop) db2 connect to mydb succeeds

Note the error is only when we access the encrypted database

Db2start keystore password recovering from


66/84

2015 IBMCorporation

66 March 26, 2015

y p g

crashes For DPF and SD, DB2 makes a best effort to maintain the keystore password in

memory. If at least one member is active that knows the password, the system cancontinue running, as members will ask each other for the password (RPC). If allmembers that knew the password crash, a manual db2start will need to be issued toprovide the password

Restart automation like TSA does not have the password

Several options are provided to ensure password is not seen during psoutput, history etc.

db2start open keystore will prompt for password, in the same way CLP would promptfor password during connect

Interactive use

db2start open keystore PASSARG Passarg = fd:where password has been written to open pipe Passarg = filename:where the first line of the file contains the

password

Used for scripts/executables where prompting is cumbersome

Backup and Restore - errors


67/84

2015 IBMCorporation

67 March 26, 2015

$ db2 "backup db testdb compress comprlib 'libdb2encr.so' compropts 'Master KeyLabel=no_such_label'" ; SQL2062N An error occurred while accessingmedia "libdb2encr.so". Reason code: "1".

$ db2 "backup db testdb compress comprlib 'libdb2encr.so' compropts 'Cipher=AES:KeyLength=257:Master Key Label=label_mihai'" ;SQL2062N An error occurred while accessing media "libdb2encr.so". Reason code:"1".

2015-01-09-15.56.29.008456 Instance:miacob Node:000

PID:6131(db2bm.41.0 (TESTDB)) TID:3330271552 Appid:*LOCAL.miacob.150109205625

bsu security InitEncryption Probe:911 Database:TESTDB

ADM8013E The command or operation failed due to an error in the encryption or

compression library.

2015-01-09-15.59.59.878013 Instance:miacob Node:000

PID:6131(db2bm.152.0 (TESTDB)) TID:3300911424 Appid:*LOCAL.miacob.150109205957

bsu security InitEncryption Probe:911 Database:TESTDB

ADM8013E The command or operation failed due to an error in the encryption or

compression library.

Backup and Restore


68/84

2015 IBMCorporation

68 March 26, 2015

2015-01-09-15.56.28.959004-300 I55540E2155 LEVEL: ErrorPID : 6131 TID : 46912963078464 PROC : db2syscINSTANCE: miacob NODE : 000 DB : TESTDBAPPHDL : 0-23 APPID: *LOCAL.miacob.150109205625AUTHID : MIACOB HOSTNAME: hotel51EDUID : 125 EDUNAME: db2bm.41.0 (TESTDB)FUNCTION: DB2 Common, Cryptography, cryptP12KSGetSecretKey, probe:479

MESSAGE : ECF=0x90000644=-1879046588=ECF_CRYPT_KEYSTORE_LABEL_NOT_FOUND The requested label does not exist

DATA #1 : unsigned integer, 4 bytes117DATA #2 : String, 13 bytesno_such_label

CALLSTCK: (Static functions may not be resolved correctly, as they are resolved to the nearest symbol) [0] 0x00002AAAB6215CAB /home/miacob/sqllib/lib64/libdb2osse.so.1 + 0x221CAB [1] 0x00002AAAB6215AE3 ossLog + 0xA3 [2] 0x00002AAAAF64328E cryptLogKMErrorString + 0x3E [3] 0x00002AAAAF643BDB _Z22cryptP12KSGetSecretKeyP26cryptPKCS12KeyStoreContextPKcPPhPjbb + 0x13B [4] 0x00002AAAB0248566 _Z26sqlexGetMasterKeyFromLabelPKctPtPhS1_bbP5sqlca + 0x1B6 [5] 0x00002AAAB025E11E _Z31sqlexFillOutDEKStorageForBackupttjmP15sqlexDEKStorageP20cryptBlockCipherInfoP5sqlca + 0x29E [6] 0x00002AAAB026693E _Z14InitEncryptionPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CB + 0x53E [7] 0x00002AAAB951000DInitCompression+ 0x5D [8] 0x00002AAAB03C49EF _Z22InitCompressionWrapperPv + 0x2F [9] 0x00002AAAB0D681C3 sqloInvokeInterruptibleFunction + 0x123 [10] 0x00002AAAB03C4AE2 _Z19InitCompressionCallPFiPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CBES1_S3_S6_ + 0x62 [11] 0x00002AAAB03ABB49 _Z24sqluBMInitComprFrameworkP14SQLU_BUFMAN_CB + 0x2C9 [12] 0x00002AAAB03A9A4E _Z10sqluBMInitP14SQLU_BUFMAN_CBP12SQLU_BAGT_CB + 0x19E

Backup and Restore


69/84

2015 IBMCorporation

69 March 26, 2015

2015-01-09-15.59.59.865699-300 I84795E1813 LEVEL: ErrorPID : 6131 TID : 46912933718336 PROC : db2syscINSTANCE: miacob NODE : 000 DB : TESTDBAPPHDL : 0-26 APPID: *LOCAL.miacob.150109205957AUTHID : MIACOB HOSTNAME: hotel51EDUID : 178 EDUNAME: db2bm.152.0 (TESTDB)FUNCTION: DB2 UDB, bsu security, sqlexParseENCROPTSforBackup, probe:360

MESSAGE : ZRC=0x805C08F0=-2141452048=SQLEX_MASTERKEY_BAD_LENGTH "The command or operation failed because the master key does not match a supported key length."

DATA #1 : String, 29 bytesUnsupported option:Key Length

CALLSTCK: (Static functions may not be resolved correctly, as they are resolved to the nearest symbol) [0] 0x00002AAAB0265DEE _Z27sqlexParseENCROPTSforBackupijPcPtS0_PjS1_PP16MASTER_KEY_LABELP5sqlca + 0x73E [1] 0x00002AAAB02669AA _Z14InitEncryptionPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CB + 0x5AA

[2] 0x00002AAAB951000D InitCompression+ 0x5D [3] 0x00002AAAB03C49EF _Z22InitCompressionWrapperPv + 0x2F [4] 0x00002AAAB0D681C3 sqloInvokeInterruptibleFunction + 0x123 [5] 0x00002AAAB03C4AE2 _Z19InitCompressionCallPFiPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CBES1_S3_S6_ + 0x62 [6] 0x00002AAAB03ABB49 _Z24sqluBMInitComprFrameworkP14SQLU_BUFMAN_CB + 0x2C9 [7] 0x00002AAAB03A9A4E _Z10sqluBMInitP14SQLU_BUFMAN_CBP12SQLU_BAGT_CB + 0x19E [8] 0x00002AAAB03ACA91 _Z8sqlubbufP8sqeAgent + 0x351 [9] 0x00002AAAB0104AE8 _Z26sqleSubCoordProcessRequestP8sqeAgent + 0xE8 [10] 0x00002AAAADDC1464 _ZN8sqeAgent6RunEDUEv + 0xA44

[11] 0x00002AAAAF575067 _ZN9sqzEDUObj9EDUDriverEv + 0xF7 [12] 0x00002AAAAED61983 sqloEDUEntry + 0x303

Backup and Restore


70/84

2015 IBMCorporation

70 March 26, 2015

db2 "restore db testdb encrlib 'libdb2encr.so' encropts 'show masterkey details'"

SQL2539W The specified name of the backup image to restore is thesame as the name of the target database. Restoring to an existingdatabase that is the same as the backup image database will causethe current database to be overwritten by the backup version. Do youwant to continue ? (y/n) y

DB20000I The RESTORE DATABASE command completedsuccessfully.

(Does not perform a restore)

Backup and Restore


71/84

2015 IBMCorporation

71 March 26, 2015

/home/miacob/sqllib/db2dump:$ catTESTDB.0.miacob.DBPART000.20150109155924.masterKeyDetails

KeyStore Type: PKCS12 KeyStore Location: /home/miacob/sqllib/keystore.p12

KeyStore Host Name: hotel51.torolab.ibm.com

KeyStore IP Address: 9.26.120.67

KeyStore IP Address Type: IPV4

Encryption Algorithm: AES Encryption Algorithm Mode: CBC

Encryption Key Length: 192

Master Key Label: label_mihai

Backup and Restore


72/84

2015 IBMCorporation

72 March 26, 2015

db2 "restore db testdb encrlib 'libdb2encr.so' encropts 'master keylabel=label_mihai' encrypt master key labellabel_jack"

Note that at restore time we will try the labels used to encrypt thebackup image one by one if a label is not specified via 'encropts'.

Backup and Restore: sharing encrypted backups


73/84

2015 IBMCorporation

73 March 26, 2015

Scenario: take an encrypted backup on system A and restore it onsystem B (without sharing the master key label used to encrypt thesource database on system A)

Create a new master key label to be used for the backup:label4systemb

Extract the key from the keystore on system A, securely copyitto system B, import it into the keystore on system B.

Take the encrypted backup and specify 'master keylabel=label4systemb'via encropts

Copy the encrypted backup to system B Restore the encrypted backup on system B

Backup and Restore: sharing encrypted backups


74/84

2015 IBMCorporation

74 March 26, 2015

Common problem:the master key label used to encrypt the backup is notavailable in the keystore on the target system B.

How to diagnose: Look at the db2diag.log for the real error

(SQLEX_KEYSTORE_LABEL_DOES_NOT_EXIST) Use 'show master key details' via encropts on the restore command to

generate the .masterKeyDetails file in db2dump and find out the

master key label used to encrypt the backup and the location of thekeystore on the source system. Extract this key from the source system keystore, securely copy it to the

target system, import it into the keystore, re-run the restore.

Restore 'no encrypt' clause


75/84

2015 IBMCorporation

75 March 26, 2015

To ensure backup images containing encrypted databases are notinadvertently restored without encryption, this clause was introduced.

This is applicable to any database level images, not for tablespace (uses

existing db's setting) or snapshot restore (uses setting in image). Examples:

BAD -Note:sample does not exist prior to the restore (e.g. moving to new system)

db2 restore db sample taken at 20150110121447

SQL1743N The RESTORE command failed because the database in the backup image

is encrypted but the existing database on disk is not encrypted.

Note: Folks found the above wording confusing, changing to 'source db at the time of backup was

encrypted but the target database is not encrypted' in later FP.

GOOD -

db2 restore db sample taken at 20150110121447 no encrypt

DB20000I The RESTORE DATABASE command completed successfully.

Setting up HADR and encryption


76/84

2015 IBMCorporation

76 March 26, 2015

The primary hadr database may or may not be setup with database encryption and thestandby database can utilize different encryption settings. Note that when one is notencrypted an admin message will be produced to warn as such. o setup a standbydatabase, generally, you will be restoring into a new database, implying you need to

specify the desired encryption options at restore time, if this is not done, no encryptionwill be used on the standby database.

Recommend procedure for setting up HADR system:

PRIMARY:

- db2 update dbm cfg using keystore_name

- db2 create db sample encrypt ... master key label

- ... setup for hadr primary ...

- db2 backup db sample

STANDBY:

- db2 update dbm cfg using keystore_name

- db2 restore db sample encrypt ... master key label

- ... setup for standby primary

Key Rotation and HADR


77/84

2015 IBMCorporation

77 March 26, 2015

In this procedure it is important to first add the new master label in the standby's keystore and then proceed to add the new master label in the primary's key store, and onlythen carry out the key rotation operation. This ensures there is no scenario in which anarchived log with the new master key label is required on the standby prior to the

standby's key store having an entry for this new label.

STANDBY:

- Add new master key label to the key store on the standby database.

PRIMARY:

- Add new master key label to the key store on the primary database.

- CALL SYSPROC.ROTATE_MASTER_KEY('');

How can the keystores at the primary and standby be kept in sync: Automatically: Set up some file level synchronization mechanism such as

rsync or similar / or physically share the key. Manually: Add keys to both (just to standby first).

HADR Key Rotation Error Diagnostics


78/84

2015 IBMCorporation

78 March 26, 2015

Key Rotation on Standby happens asynchronously, but driven by key rotationon primary system.

If the key rotation on standby has failed, an ADM message is logged:

2015-01-12-15.55.23.398487 Instance:geoffrey Node:000

PID:17361(db2hadrs.0.0 (HADRDB)) TID:1065347392 Appid:none

High Availability Disaster Recovery hdrEdu::hdrEduS Probe:21719 Database:HADRDB

ADM12517E A master key rotation to label

"DB2_SYSGEN_geoffrey_HADRDB_2015-01-12-15.54.26" failed on the HADR standby

with zrc "-2141452059". The standby system disconnects to retry key rotation.

Extra diagnostics from db2diag.log messages to see cause of key rotationfailure. Most common is master key label not present in standby keystore.

HADR Monitoring flags


79/84

2015 IBMCorporation

79 March 26, 2015

Can check monitoring flags from either primary or standby systems throughdb2pd -hadr option:

HADR_STATE = REMOTE_CATCHUP_PENDING

HADR_FLAGS = STANDBY_RECV_BLOCKED STANDBY_KEY_ROTATION_ERROR

STANDBY_KEY_ROTATION_ERROR flag indicates that there has been ankey rotation error on the standby system and receiving of new HADR

messages has been blocked.

If problem is resolved within timeout period (30 mins), the systems will re-connect and HADR continues. Otherwise, HADR will shut down and usershave to restart HADR after issue is resolved.

HADR Common Errors


80/84

2015 IBMCorporation

80 March 26, 2015

Customer creates primary DB using automatically generated master keylabel.

Determine label using (db2pd -encr / table function, covered in later section) Extract from primary system's keystore. Import into standby system's keystore. Use this label when restoring backup to create standby database

Customer creates standby DB usingautomatically generated master keylabel

The standby will immediately drive key rotation as it detects primary is using adifferent label.

This will fail as the label does not exist on the standby site (hadr will retry

several times but after bring down the system). Add label and restart.

Tooling Changes (See SES for Details)


81/84

2015 IBMCorporation

81 March 26, 2015

Tools with encryption support db2pdlog db2fmtlog db2cklog

db2flsn db2LogsForRfwd db2UncompressLog db2ckbkp db2adutl

db2dart

Tools with encryption support


82/84

2015 IBMCorporation

82 March 26, 2015

The following new options are added to specify the keystore password(exact syntax may vary in different tools):

Keystore Password

|-+- -kspassword ---------+------ password ------+-------------------|

+- -kspassarg ----------+- fd:file_descriptor -+ + '- filename:file_name -+

+- -ksprompt-----------------------------------'

Only need to specify these options if the keystore password is notstashed.

These tools will use the keystore specified in the DBM CFGKEYSTORE_LOCATIONparameter. There's no way to specifyanother keystore file through the tools.

Run-time PD functions


83/84

2015 IBMCorporation

83 March 26, 2015

DB CFG Encrypted database to see if db is encrypted

ADMIN_GET_ENCRYPT_INFO()table function

New db2pd option -encryptioninfo (-enc)

db2pd -db dynam -encryptioninfo

Database Member 0 -- Database DYNAM -- Active -- Up 0 days 00:00:16 -- Date 2015-01-09-14.24.13.275668

Encryption Info:

Object Name: DYNAM

Object Type: DATABASE

Encyrption Key Info:

Encryption Algorithm: AES

Encryption Algorithm Mode: CBC

Encryption Key Length: 256

Master Key Label: DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58

Master Key Rotation Timestamp: 2015-01-09-14.20.59.000000

Master Key Rotation Appl ID: *LOCAL.geoffrey.150109192055

Master Key Rotation Auth ID: GEOFFREY

Previous Master Key Label: DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58

KeyStore Info:

KeyStore Type: PKCS12

KeyStore Location: /home/geoffrey/sqllib/keystore.p12

KeyStore Host Name: hotel80.torolab.ibm.com

KeyStore IP Address: 9.26.120.37

KeyStore IP Address Type: IPV4


84/84

2015 IBMCorporation

84 March 26, 2015

THANK YOU

ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA

Documents

Transcript of ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA