ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
-
Upload
fallenlord -
Category
Documents
-
view
769 -
download
23
Transcript of ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
1/84
2015 IBMCorporation
Exploring IBM DB2Encryption Technology
Presenter: Marcin BasterDB2 LUW Advanced Support Analyst
IBM Analytic Platform Client Success and Smarter Support
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
2/84
2015 IBMCorporation
2
Disclaimer
The information contained in this presentation is provided for informational purposes only.
While efforts were made to verify the completeness and accuracy of the information contained in thispresentation, it is provided as is, without warranty of any kind, express or implied.
In addition, this information is based on IBMs current product plans and strategy, which are subject to
change by IBM without notice.
IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, thispresentation or any other documentation.
Nothing contained in this presentation is intended to, or shall have the effect of:
Creating any warranty or representation from IBM (or its affiliates or its or their suppliers and/orlicensors); or
Altering the terms and conditions of the applicable license agreement governing the use of IBMsoftware.
Performance is based on measurements and projections using standard IBM benchmarks in acontrolled environment. The actual throughput or performance that any user will experience will vary
depending upon many factors, including considerations such as the amount of multiprogramming in theuser's job stream, the I/O configuration, the storage configuration, and the workload processed.Therefore, no assurance can be given that an individual user will achieve results similar to those stated
here.
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
3/84
2015 IBMCorporation
March 26, 2015
PART ONE
Encryption highlights
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
4/84
2015 IBMCorporation
Agenda
IBM DB2 Encryption Offering Data encryption requirements Offering overview Functionality Highlights
Encryption overview Encryption keys, algorithms, and security strengths Encryption key managment
Key management GSKit Overview Keystore and key creation, deletion, reporting, exporting, and importing
Encrypting databases
Backup and restore
Utilities, diagnostics and other considerations
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
5/84
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
6/84
2015 IBMCorporation
Data Encryption Requirements
Meet compliance requirements Industry standards such as PCI DSS Regulations such as HIPAA Corporate standards
Protect against threats to online data Users accessing database data outside the scope of the DBMS
Protect against threats to offline data Theft or loss of physical media
Reduce the cost of security and compliance No third-party add-on tools required Easy to consume by DB2 bundlers such as ISVs
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
7/84
2015 IBMCorporation
IBM DB2 Encryption Offering
Simple to deploy in cloud, software, or appliance
Encrypts online data and backups
Transparent No application or schema changes
Built-in secure and transparent key management
Compliant, e.g. NIST SP 800-131 compliant cryptographic algorithms Uses FIPS 140-2 certified encryption
Runs wherever DB2 runs!
Exploits available HW acceleration (AES encryption only) Intel supported
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
8/84
2015 IBMCorporation
IBM DB2 Encryption Offering Licensing
License available for these editions:
DB2 Enterprise Server DB2 Workgroup Server DB2 Express Server
Included in these Editions
DB2 Advanced Enterprise Server DB2 Advanced Workgroup Server Express-C
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
9/84
2015 IBMCorporation
Create database Highlights
Encrypting a new database is as simple as using the new ENCRYPT option
CREATE DATABASE mydb ENCRYPT
Default is AES 256
Other Algorithms and key lengths are possible
CREATE DATABASE mydb ENCRYPT CIPHER AES KEY LENGTH 128
CREATE DATABASE mydb ENCRYPT CIPHER 3DES KEY LENGTH 168
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
10/84
2015 IBMCorporation
Backup highlights
Leverages existing interface for calling out to an external library
Same encryption algorithm choices as for database
Non-encrypted databases can also have backups encrypted
Automated backup encryption through use of new ENCRLIB/ENCROPTSdatabase configuration parameters
Use of encryption for backups enforced by SECADM Automation turned on by default when an encrypted database is created
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
11/84
2015 IBMCorporation
Key Management Highlights
Industry standard 2-tier model Actual data is encrypted with a Data Encryption Key (DEK) DEK is encrypted with a Master Key (MK)
DEK is managed within the database, MK is managed externally
MK is stored within a PKCS#12 compliant keystore
Encrypted keystore file containing master keys
Keystore backup is the responsibility of the customer
Support for master key rotation through new procedure
ADMIN_ROTATE_MASTER_KEY()
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
12/84
2015 IBMCorporation
Database Objects that are Encrypted
All user data in a database is encrypted All table spaces (system defined and user defined) All types of data in a table space (LOB, XML, etc. ) All transaction logs including logs in the archives
All LOAD COPY data All LOAD staging files All dump .bin files All backup images
Additional objects that are encrypted
Encryption keys in memory, except for the time they are actually used Keystore passwords when transparently communicated from one member/ partition to
another upon restart
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
13/84
2015 IBMCorporation
March 26, 2015
PART TWO
Encryption overview
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
14/84
2015 IBMCorporation
Encryption Key
The sequence that controls the operation of thecryptographic algorithm
The number of bits in a key is called key length
The length of the key reflects the difficulty to decrypt a plaintext encrypted
with that key
A 256 bit key has 2
256
distinct values in its key space
Encryption EncryptionPlaintext PlaintextCiphertext
Key Key
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
15/84
2015 IBMCorporation
Symmetric Encryption Algorithms
A cryptographic algorithm that uses the same key for both encryption anddecryption
AES and 3DES are the most famous symmetricencryption algorithms
Encryption
Original MessageEncrypted Message
Secret Key
Decryption
Encrypted Message Original MessageSecret Key
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
16/84
2015 IBMCorporation
Asymmetric Encryption Algorithms
A cryptographic algorithm that uses one key for encryption and another keyfor decryption
The encryption key is called a public key The decryption key is called a privatekey
The public key and private key are different butmathematically related
It is not feasible to derive the private key from the public key in anyreasonable time
RSA, ECC, and Diffie-Hellman are the most famous examples
Encryption EncryptionPlaintext PlaintextCiphertext
Public Key Private Key
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
17/84
2015 IBMCorporation
Approximate Equivalence in Security Strength
Symmetric Key
Length (AES)
Asymmetric Key
Length (RSA)
Asymmetric Key
Length (ECC)
- 1024 160
- 2048 224
128 3072 256
192 7680 384
256 15360 512
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
18/84
2015 IBMCorporation
Encryption Key Wrapping
The process of encrypting one key with another key
The key encrypting key is typically referred to as a master key
The master key is typically stored separately from the data system
The top drivers for this 2- tier encryption approach are:
Security: Compromise of the data system does not mean compromise of the data asthe master key is stored outside the data system
Performance: Complying with key rotation requirements does notmean re-encryptingthe actual data; only the data encryption key is re-encrypted with a new master key
DB2 Implements the industry standard 2-tier model Actual data is encrypted with a Data Encryption Key (DEK) DEK is encrypted with a Master Key (MK)
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
19/84
2015 IBMCorporation
Encryption Key Management
Refers to the secure management of keys during their lifecycle Creation, distribution, expiration, deletion, backup, restore, etc. Protection of encryption keys including access control and encryption
Public Key Cryptography Standard (PKCS) #12: A password-protected keystore with a format for storing encryption keys Local keystore file Stores master keys Might recognize this as keystore for SSL certificates
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
20/84
2015 IBMCorporation
PassW0rd
Master Key and Data Key Relationships
A Keystore is created locally and has a strong password associated with it:
Keystore
Master Keys with Labels are created in order to encrypt database keys:
The keystore must be available to the DB2instance in order to get the Master Keysrequired for encryption and decryption.
SECRET.DB2INST1.2015.02.01
Key Label Key
Keystore
DB2 can generate Master Keys andLabels automatically for the user.
Creating your own labels will requirethat you generate an encryption key.
Database Keys are generated internally by DB2 and are used to encrypt the database:
DB2 Key SECRET.DB2INST1.2015.02.01
Key Label Key
The DB2 encryption key is itselfencrypted within the database imageby using the Master Key found within
the keystore.
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
21/84
2015 IBMCorporation
March 26, 2015
PART TWO
Master Key Management
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
22/84
2015 IBMCorporation
IBM Global Security Kit
DB2 Encryption uses the IBM Global Security Kit (GSKit) forkey management and encryption
This component is installed as part of DB2 Located in the /sqllib/gskit directory
GSKit libraries are used to create, store, and manage the keys required for encryptingdatabases FIPS 140-2 certified encryption library gsk8capicmd_64 is command line tool to manage the keystore
Three GSKit command options are used for manipulating keys keydb
Used to create a keystore for use by DB2
secretkey Use for add master key labels to a keystore
cert Used for listing, deleting, importing, and exporting master key labels
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
23/84
2015 IBMCorporation
Creating a Keystore (keydb)
A keystore must be created and registered before using encryption A keystore must be created using the gsk8capicmdcommand gsk8capicmd_64 keydb create[-drop] db pw strong type stash
Parameters
Example gsk8capicmd_64 -keydb create -db ~/db2/db2keys.p12 -type pkcs12
-pw "Str0ngPassw0rd"
-strong -stash
Keyword Use
-keydb Indicates that the command will apply to a keystore.
-create or -drop Create (or drop) a keystore.
-db Keystore filename. The keystore must be available to the DB2 instance.
-type Must be pkcs12.
-pw Password for the keystore (at least 14 characters long when -strong is used).
-strong Check that the password is non-trivial.
-stash Create a stash file to allow for commands to run without prompting for password.
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
24/84
2015 IBMCorporation
Stash File Considerations
When the -stash option is specified during the create action, an obfuscatedversion of the keystore password is stashed in a file:
.sth
A stash file is used as an automatic way of providing a password If a keystore password was not provided during db2start, the password will be retrieved
from the stash file
The stash file can only be read by the instance owner
Not stashing the password enhances security if the instance owner account becomescompromised
This additional security must be weighed against any requirements that the DB2instance can start without human intervention
If the password is not stashed, you cannot access an encrypted database until you
provide the keystore password.
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
25/84
2015 IBMCorporation
Starting DB2 without a Stash File
DB2 will start normally (no error condition returned) if a stash file is notpresent in the system
Database activation, or applications connecting to encrypted databases will
encounter an error condition:
SQL1728N The command or operation failed because the keystore could not be
accessed. Reason code "3".
The db2startcommand must be re-executed with the open keystoreoption to enable access to encrypted databasesdb2start open keystore USING KeySt0rePassw0rd
To avoid placing the password on the command line:
db2start open keystore will prompt for password For scripts of other executables, supply the password through either a
temporary file or open file descriptordb2startopen keystore PASSARG FILENAME: | FD:
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
26/84
2015 IBMCorporation
Creating Master Keys
DB2 will generate master keys for you automatically during: Database Creation Key rotation Restoring into a new database
DB2 master keys are always AES 256-bit This key is used to encrypt the database key, not the actual database
You may want to create a key with a specific label for a number
of reasons: You want to keep track of the Master Key Labels and their corresponding keys for
offsite recovery without having the entire keystore available on thebackup site
You have an HADR pair that must have synchronized keys You are encrypting a backup for an unencrypted database
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
27/84
2015 IBMCorporation
Creating a Master Key Label
A keystore must be created before adding a Master Key Label Also require write access to the keystore The gsk8capicmdis used to create a new master key gsk8capicmd_64 secretkey add db label file -stashed
Parameters
Examplegsk8capicmd_64 secretkey add -db ~/db2/db2keys.p12 -label secret.key
-stashed
-file ~/db2/mysecretkey
Keyword Use
-secretkey Indicates that the command will insert a new master key into an existing keystore
-add Add a key to the keystore (Note: You can't drop a key using this command)
-db Keystore filename
-label Name of the master label (text string)
-pw Password for the keystore if the stash file is not available
-file Location of the AES key that will be used to encrypt the database key
-stashed Use the stashed password to access the keystore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
28/84
2015 IBMCorporation
Generating an AES Key for a Master Key Label
A secret key needs to be generated by the user before adding a master keyto the keystore
The secret key is used to encrypt the database key The strength of the secret key has no relationship to the actual encryption that takes
place within the database Recommendation is to use the highest level of AES encryption (256) for the database
key (same as DB2) Overhead is insignificant since the database key is not frequently decrypted
Generating a random key A key needs to be 16, 24, or 32 bytes wide Corresponds to 128, 192, or 256-bit AES keys
On Linux, UNIX, and AIX use the following command to generate a 32-byte randomstring (which represents a 256-bit AES key)head c 32 /dev/random >~/db2/mysecretkey
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
29/84
2015 IBMCorporation
Delete or List Master Key Labels
You can delete a master key or query the contents of a keystore by using thecert option of the GSKit commandgsk8capicmd_64 cert [-list|-delete]
Parameters
Examplesgsk8capicmd_64 cert list -db ~/db2/db2keys.p12 stashed
gsk8capicmd_64 cert delete db ~/db2/db2keys.p12 -stashed
-label secret.key
Common Keywords Use
-db Absolute location of the keystore
-stashed Use the stashed password to access the keystore
-pw Password for the keystore if the stash file is not available
Delete Use
-delete -label Name of the master key label (text string)
List Use
-list List all of the master keys in the keystore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
30/84
2015 IBMCorporation
Exporting a Master Key Label
A secure method of moving a key (to import to another keystore) involvesthe use of the cert option of the GSKit command
gsk8capicmd_64 cert -exportdb label target target_pw
Parameters
Examplegsk8capicmd_64 cert export -db ~/db2/db2keys.p12 -stashed
-label secret.key target ~/db2/exportedkey.p12 target_type pkcs12
-target_pw Str0ngPassw0rd
Keywords Use
-export Tells the command to export a master key into a file
-db Absolute location of the keystore
-stashed Use the stashed password to access the keystore
-pw Password for the keystore if the stash file is not available
-label Name of the master key label (text string)
-target Name of the file to place the contents of the keystore into
-target_pw Password used to encrypt this file
-target_type Type of file (pkcs12)
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
31/84
2015 IBMCorporation
Importing a Master Key Label
The import option on the cert command is used to import the master keyinto an existing keystore (usually at a backup site)
Note that the target file is the keystore on the backup systemgsk8capicmd_64 cert -importdb label target target_pw
Parameters
Examplegsk8capicmd_64 cert import -db ~/db2/exportedkey.p12 -stashed
-pw Str0ngPassw0rd -label secret.key
target ~/db2/db2keys.p12 target_type pkcs12
Keywords Use
-import Tells the command to import a master key into a file
-db Absolute location of the key that we want to import (not the current keystore)
-stashed Use the stashed password to access the keystore
-pw Password for the key that we exported from the original keystore-label Name of the master key label that we want to import
-target Name of the local keystore file to place the contents of the master key into.
-target_pw Password for the keystore file, but you can use the stashed option
-target_type Type of file (pkcs12)
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
32/84
2015 IBMCorporation
Registering the Keystore in DB2
After creating a keystore file, the DB2 instance must be updated with thelocation and type of keystore
Two new configuration parameters KEYSTORE_TYPE Type of keystore being used (either NULLor PKCS12) KEYSTORE_LOCATION Absolute location of the keystore (or NULLif none)
A DB2 instance can only have one keystore The system could have keystores for other applications, but DB2 only supports one
keystore at the instance level
Best practice is to update both parameters simultaneouslyUPDATE DBM CFG USING
KEYSTORE_TYPE PKCS12
KEYSTORE_LOCATION "/home/db2inst1/db2/db2keys.p12"
To remove a keystore from an instance, set the values toNONEandNULL
UPDATE DBM CFG USING KEYSTORE_TYPE NONE KEYSTORE_LOCATION NULL
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
33/84
2015 IBMCorporation
March 26, 2015
PART TWO
Encrypting DB2 Databases
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
34/84
2015 IBMCorporation
Encrypting Online Data
Once the keystore has been created and registered, and (optional) a masterkey created, you can encrypt a database
Encryption can be requested via a new option on the CREATE DATABASE
command:
CREATE DATABASE mydb ENCRYPT;
The default encryption is AES 256, but users can select other algorithms and
key lengths if they so desire
CREATE DATABASE mydb
ENCRYPT CIPHER AES KEY LENGTH 128;
CREATE DATABASE mydb
ENCRYPT CIPHER 3DES KEY LENGTH 168;CREATE DATABASE mydb
ENCRYPT CIPHER AES KEY LENGTH 256
MASTER KEY LABEL mylabel;
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
35/84
2015 IBMCorporation
Encryption Options
The ENCRYPT keyword has three options CIPHER
This is the type of encryption to use AES (Advanced Encryption standard) or 3DES (Triple Data Encryption Standard) AES is the default if CIPHER is not specified
AES is implemented in some hardware so potentially more efficient to use KEY LENGTH
For AES encryption this can be 128, 192, or 256 bits Default length is 256 for AES, and it can only be 168 for 3DES
MASTER KEY LABEL
The name of the master key found within the keystore that will encrypt the databaseencryption key
A master key label is optional DB2 will generate a master key if one is not supplied on the CREATEDATABASE
command The name of the generated master key is:
DB2_SYSGEN___
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
36/84
2015 IBMCorporation
Determine Current Database Encryption Settings
The SYSPROC.ADMIN_GET_ENCRYPTION_INFOtable function can be used todetermine the encryption settings for a database
Column Contents
ALGORITHM Encryption algorithm used
ALGORITHM_MODE Encryption algorithm mode used
KEY_LENGTH Encryption key length
MASTER_LEY_LABEL Master key label associated with the master key used
KEYSTORE_NAME Absolute path of the keystore file location
KEYSTORE_TYPE Type of keystore
KEYSTORE_HOST Host name of the server where the keystore file is located
KEYSTORE_IP IP address of the server where the keystore file is located
KEYSTORE_IP_TYPE Type of the IP address of the keystore (IPV4 or IPV6)
PREVIOUS_MASTER_KEY_LABEL Master key label before the last master key rotation took place - If a master key rotation has not occurred,this value is the master key label
ROTATION_TIME Timestamp when the last master key rotation took place
AUTH_ID Authorization ID that was used during the last master key rotation
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
37/84
2015 IBMCorporation
Key Rotation
The process of changing encryption keys for compliance purposes It requires decrypting any key encrypted with the old key and then re- encrypting it with
the new key The data does not get re-encrypted!
The key rotation frequency depends on the compliance driver This generally ranges from once every 3 months to once per year
The key rotation requirement can be thought of as analogous to the
requirement to change passwords every 90 days
DB2 Key
SECRET.DB2INST1.2015.02.01
Key Label Master Key
The current Master Key is used toto decrypt the DB2 encryption key
SECRET.DB2INST1.2015.03.05
Key Label Master Key
Now a new Master Key is used to encrypt
the DB2 encryption key
DB2 Key
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
38/84
2015 IBMCorporation
Key Rotation Procedure
The SYSPROC.ADMIN_ROTATE_MASTER_KEYprocedure can be used tochange the database key to comply with key rotation requirement
You must be connected to the database to run this command
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('newMasterKeyLabel')
The SYSPROC.ADMIN_ROTATE_MASTER_KEYprocedure re-encrypts thedatabase key with the new master key
DB2 will automatically generate the new master key unless you override it
with a key label
Key rotation is logged in the db2diag.log file:
grep A 3 "Key Rotation" ~/sqllib/db2dump/db2diag.log
Key Rotation successful using label:
DATA #2 : String, 46 bytes
DB2_SYSGEN_db2inst1_SECRET_2015-02-09-05.03.12
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
39/84
2015 IBMCorporation
March 26, 2015
PART TWO
Backup and Restore Using Encryption
B k E ti S tti
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
40/84
2015 IBMCorporation
Backup Encryption Settings
Two database parameters can be used to automatically control theencryption of backups
ENCRLIB Which encryption library to use ENCROPTS What options to pass to the encryption routine
ENCRLIB is set to one of the following values (full path required)
ENCROPTS is a string with the following optional values Each option is separated by a colon (:) in the string (Cipher=AES:Length=256)
Operating System Compression Encryption Both
Windows db2compr.dll db2encr.dll db2compr_encr.dll
Linux libdb2compr.so libdb2encr.so libdb2compr_encr.so
AIX libdb2compr.a libdb2encr.a libdb2compr_encr.a
Option Purpose Values
Cipher Type of encryption algorithm to use AES, 3DES
Length Length of the encryption key AES: 128, 192, 256 3DES: 168
Master Key Label Optional name of the Master Key Label used to encrypt the database key String
B k E ti S tti f E t d D t b
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
41/84
2015 IBMCorporation
Backup Encryption Settings for Encrypted Databases
ENCRLIB and ENCOPTS are automatically set when a new database iscreated with encryption
Both values are set according to the ENCRYPToptions that were used at databasecreation time
Any database backup will be encrypted automatically with these setting No requirement for additional encryption keywords on the BACKUPcommand Only a SECADMcan override the database encryption parameters
Overriding the backup encryption level requires that SECADM update the
ENCROPTS settings A database backup can have a different level of encryption than the
database itself The ENCROPTScan also be set manually on the BACKUPcommand but that would
require that the database ENCROPTSparameter be set toNULL
Supplying no ENCROPTSon the BACKUPwould result in default encryption settings(AES 256) Setting ENCRLIBtoNULLand ENCROPTStoNULLwill allow the DBA to backup the
database with NO ENCRYPTION
Back p Encr ption Settings for Normal Databases
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
42/84
2015 IBMCorporation
Backup Encryption Settings for Normal Databases
ENCRLIB and ENCROPTS can be set to for databases that have noencryption settings
Set the values according to the ENCRLIBand ENCROPTSoptions that you want for thedatabase
Once these parameters are set by the SECADM, they "lock in" the encryption of thebackup
The backup options cannot be overridden on the BACKUP command unlessENCROPTSis null (for encryption options) or ENCRYPTis null for no encryption
Setting ENCRLIB/ENCROPTS at the database level ensures that backups willalways be encrypted DBAs can run the BACKUP command with no additional options required
for encryption
Example:BACKUP DATABASE SECRET TO /HOME/DB2INST1/DB2
ENCRYPT ENCRLIB 'libdb2encr.so'
ENCROPTS 'Cipher=AES:Key Length=256'
Backup Encryption Summary
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
43/84
2015 IBMCorporation
Backup Encryption Summary
The following chart summarizes the combination of settings of ENCRLIBand ENCROPTS that result in encrypted backups
If ENCRLIBis set, backups will always be encrypted DBAs can only override the level of backup encryption if ENCROPTSis
set toNULL A backup will be decrypted when ENCRLIBand ENCROPTSareNULL
Restoring Encrypted Backup to an Existing Database
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
44/84
2015 IBMCorporation
Restoring Encrypted Backup to an Existing Database
Restoring a backup by replacing an existing database requires no specialparameters
Keystore must contain the master key label that was used to generate this backupcopy
Standard databases with an encrypted backup would restore back to an unencryptedcopy
RESTORE DATABASE SECRET FROM /home/db2inst1/db2
RESTORE will use the existing database encryption settings to encrypt the
data being restored The encryption settings can not be changed when restoring into an existing database
Restoring Encrypted Backup to an New Database
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
45/84
2015 IBMCorporation
Restoring Encrypted Backup to an New Database
Restoring a backup to a new copy of the database requires that theENCRYPT parameter be added to the command
DB2 needs to create the database before restoring the encrypted copy, and without theENCRYPTkeyword, the database would not be secure
Parameters for the ENCRYPTkeyword are identical to creating anencrypted database
RESTORE DATABASE SECRET FROM /home/db2inst1/db2
ENCRYPT
CIPHER AES
KEY LENGTH 128
MASTER KEY LABEL secret.key
Encryption settings can be different from the backup copy settings The parameters used with the ENCRYPToption can specify a different cipher, key
length, or master key label If you need to duplicate the exact encryption settings, use the show master key
detailsoption of the RESTOREcommand
Determining the Backup Encryption Settings
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
46/84
2015 IBMCorporation
Determining the Backup Encryption Settings
When restoring a backup as a new database, the database will need to becreated with encryption enabled
You can chose to change the cipher, key length, and master key label settings There is an option to query the encryption settings of the backup image
The RESTORE command can extract the backup encryption settings The RESTOREcommand with the showmasterkeydetailsoption will prompt the
user if they want to overwrite an existing copy of the database Accepting the overwrite will NOToverwrite the databaseRESTORE DATABASE SECRET FROM /home/db2inst1/db2
ENCROPTS 'show master key details'
Encryption information from the backup will be placed into the db2dumpdirectory
File with the following name will be generated .#....masterkeydetails You can then use ENCROPTS 'Master Key Label=xxx'option on the RESTORE
command to decrypt the backup with the proper master key
Backup/Restore Encrypted Database Examples
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
47/84
2015 IBMCorporation
Backup/Restore Encrypted Database Examples
Create, Backup, and Restore an Encrypted Database
CREATE DATABASE SECRET ENCRYPTBACKUP DATABASE SECRET ON /db2RESTORE DATABASE SECRET FROM /db2
Restore to a new copy of the Encrypted Database
RESTORE DATABASE SECRET FROM /db2 ENCRYPT
Restore to a new copy of the Encrypted Database with different encryption options
RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192
Restore to a new copy of the Encrypted Database with no encryption
RESTORE DATABASE SECRET FROM /db2 NO ENCRYPT
Extract the Master Key Label information from the backup image
RESTORE DATABASE SECRET FROM /db2 ENCRYPTENCROPTS 'show master key details'
Backup Encrypted Database with different ENCROPTS settings
UPDATE DATABASE CONFIG USING ENCROPTS NULL IMMEDIATEBACKUP DATABASE SECRET ON /db2 ENCROPTS 'Ciper=AES:Key Length=128'
Backup Encrypted Database with no encryption at all
UPDATE DATABASE CONFIG USING ENCRLIB NULL ENCROPTS NULL IMMEDIATEBACKUP DATABASE SECRET ON /db2
Backup/Restore Regular Database Examples
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
48/84
2015 IBMCorporation
Backup/Restore Regular Database Examples
Create, Backup, and Restore a Regular Database
CREATE DATABASE NOSECRETBACKUP DATABASE NOSECRET TO /db2RESTORE DATABASE NOSECRET FROM /db2
Restore to a new copy of the database and have it encrypted using the defaults
RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT
Restore to a new copy of the Encrypted Database with different encryption options
RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192
Backup a regular database using Encryption
BACKUP DATABASE NOSECRET TO /db2 ENCRYPT
ENCRLIB 'libdb2encr.so'ENCROPTS 'Cipher=AES:Key length=128:Master Key Label=secret.key'
Restore the Encrypted backup to a regular database
RESTORE DATABASE NOSECRET FROM /db2
Backup regular database using ENCRLIB and ENCROPTS settings
UPDATE DATABASE CONFIG USING ENCRLIB '/home/db2inst1/sqllib/lib/libdb2encr.so'
ENCROPTS 'Cipher=AES:Key length=128:Master Key Label=secret.key'BACKUP DATABASE NOSECRET TO /db2
Restoring an Encrypted Backup to a Different Server
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
49/84
2015 IBMCorporation
Restoring an Encrypted Backup to a Different Server
Create the database and do a backupCREATE DATABASE SECRET ENCRYPT
BACKUP DATABASE SECRET TO /primary
Extract the Master Key Label for the keystore
gsk8capicmd cert export db ~/db2/primary.p12 stashed -label secret.key target secret.p12
-target_type pkcs12 target_pw Str0ngPassw0rd
Copy the master key to the backup site and add the key to the backup site
keystore gsk8capicmd cert import db secret.p12 pw Str0ngPassw0rd
stashed -label secret.key
-target ~/db2/backup.p12
-target_type pkcs12
Restore the databaseRESTORE DATABASE SECRET FROM /backup
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
50/84
2015 IBMCorporation
March 26, 2015
PART TWO
Utilities, Diagnostics andSpecial Considerations
Migration of Existing Data
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
51/84
2015 IBMCorporation
Migration of Existing Data
Take a standard non encrypted backup of the database
Restore the backup into a new database using the newly added ENCRYPTclause to enable the desired encryption settings
Backup Restore
RESTORE DATABASE SECRET FROM /home/db2inst1ENCRYPT
CIPHER AES
KEY LENGTH 192
MASTER KEY LABEL secret.key
HADR Considerations
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
52/84
2015 IBMCorporation
Normally both primary and secondary databases are encrypted Possible to only have the primary or secondary encrypted On HADR startup, an admin warning message will be produced
Secondary site will be set up as new a database Specify encryption options as part of the RESTORE command Keystore needs to be available locally
Create keystore and master key label at primary and secondary site (The Master Key Label must be the same)
gsk8capicmd keydb create db ~/db2/db2keys.p12 type pkcs12 pw Str0ngPassw0rd strong stash
head c 32 /dev/random > ~/db2/secretkey.p12
gsk8capicm secretkey add db ~/db2/db2keys.p12 stashed label secret.key file ~/db2/secretkey.p12 Move keystore to secondary site, or export master key and import into secondary site
Update local and backup instance with the location and type of keystore
UPDATE DBM CONFIG USING
KEYSTORE_NAME /home/db2inst1/db2/db2keys.p12 KEYSTORE_TYPE PKCS12
Create the primary database using the master key label, setup HADR, and then backup the database
CREATE DATABASE SECERT ENCRYPT MASTER KEY LABEL secret.key Setup of HADR primary BACKUP DATABASE SECRET TO ~/db2
Restore to a new copy of the Encrypted Database at the secondary site
RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER MASTER KEY LABEL secret.key Setup of HADR standby
Tooling Changes
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
53/84
2015 IBMCorporation
g g
Tools with encryption support db2cklog db2flsn db2LogsForRfwd db2ckbkp db2adutl db2dart
These tools will use the keystore specified in the DBM CFGKEYSTORE_LOCATION parameter
Additional arguments used to connect to the keystore if the password isnot stashed-kspassword password
-kspassarg fd:file_descriptor
filename:file_name
-ksprompt
Database Encryption Scenario
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
54/84
2015 IBMCorporation
yp
Database Encryption Implementation Configure the keystore for the instance (one-time set-up) Specify encryption when creating a database Specify encryption when taking a backup (default for encrypted databases) Specify encryption when restoring a backup
Database Encryption Operational Management Regular backup and safe storage of the keystore Rotate the database master key as dictated by the compliance requirements If password protection of the keystore was selected, manage the password carefully
including changes as dictated by the compliance requirements
The customer is responsible for backingup the keystore!
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
55/84
2015 IBMCorporation
March 26, 2015
PART THREE
Deep Dive
GSKit Global Security Kit
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
56/84
2015 IBMCorporation
56 March 26, 2015
GSKit Global Security Kit
Encryption library provided to all IBM products from a team in Tivoli
Shared libraries and executables shipped with DB2 Currently used for existing encryption and SSL support Upgraded to new version 8.0.50.31
Use gsk8ver_64 to get version New version has support for secret keys required by this solution
Consult docs on how to set $PATHand $LD_LIBRARY_PATH For this solution, we are interested in the command line tool gsk8capicmd_64
to manage keystores
While not specific to this solution, the requirement of a new versionmight increase problems with interoperability with other products. Most likely manifest itself as a db2diag.log entry about missing functions, or
inability to load a GSKit library
PKCS12 Keystore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
57/84
2015 IBMCorporation
57 March 26, 2015
PKCS12 Keystore
DB2 stores Master Keys outside of the database/instance
Stored in a PKCS12 keystore file on disk (.p12)
PKCS12 Public Key Crypto-system #12 RSA standards for public key cryptography
Keystore is always encrypted and the key is derived from a password
Contains both public and private (secret) keys referenced by a label Public keys SSL Secret Keys Native encryption
PKCS12 Keystore Stash File
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
58/84
2015 IBMCorporation
58 March 26, 2015
PKCS12 Keystore Stash File
A stash file contains an obfuscated version of the password It's NOT encrypted, it's similar to plaintext
Allows instance owner to access the keystore without providing thepassword
Permissions same as keystore, only accessible by the instance owner
Allows automated db2start, such as after a crash, to proceed without auser manually entering a password
Should provide sufficient security for majority of customers
Not mandatory, for those that feel it's inadequate, can manually enterpassword on db2start. Easy to recreate if you remember the password
PKCS12 Keystore Backing up the keystore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
59/84
2015 IBMCorporation
59 March 26, 2015
PKCS12 Keystore Backing up the keystore
The customer is responsible for backing up the keystore and stash file
Failure to backup keystore can result in the inability to access allencrypted data, including logs and backups
Keystore must be backed up whenever a new key is added.
There is no backdoor for IBM to access data.
When DB2 inserts a new Master Key into the keystore, it logs an adminmessage to remind customer to backup
2015-01-12-12.03.57.408278 Instance:gstager Node:000
PID:20764(db2agent (instance)) TID:3443517760 Appid:*LOCAL.gstager.150112170356
bsu security sqlexInsertNewMasterKeyLabel Probe:519 Database:ADM8014W Backup the keystore.
PKCS12 Keystore- DBM CFG / Creation
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
60/84
2015 IBMCorporation
60 March 26, 2015
PKCS12 Keystore DBM CFG / Creation
Two new parameters tell DB2 about the keystore
KEYSTORE_TYPE PKCS12 KEYSTORE_LOCATION fully qualified path of the keystore
Creates the keystore.p12 file, along with keystore.sth stash file
gsk8capicmd_64 -fips true -keydb -create -db keystore.p12 -pw
Str0ngPassw0rd -strong -type pkcs12 -stash;
File permissions of keystore
When created, only the creator will have read/write permission
Instance owner should be the one to create it File permissions should never be changed
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
61/84
PKCS12 Keystore Manually creating a key
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
62/84
2015 IBMCorporation
62 March 26, 2015
PKCS12 Keystore Manually creating a key
Customer is responsible for secure random number generation
Example: head -c 32 /dev/random > mysecretfile
Must be exactly 128, 192 or 256 bits (16,24, or 32 bytes)
This is the level of AES encryption used to encrypt the DEK
gsk8capicmd secretkey add db ccardskeystore.p12
stashed label mylabel.mydb.myinstance.myserver
file mysecretkeyfile;
Common Label Problems
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
63/84
2015 IBMCorporation
63 March 26, 2015
Common Label Problems
Only specify a label when that label already exists in the keystore
For example, you can specify a master key label onADMIN_ROTATE_MASTER_KEY, but it must already exist in the keystoreor else and error SQL1729N will occur.
General rule is to never delete labels from a keystore Are you sure you don't need access to that 5 your old backup encrypted with
this label?
Key rotation does not guarantee current label has stopped being used. Mainexample is log file, only new log files will use new label.
For missing label, why do you expect the label to be available? Was the backup copied from another system, HADR Use the following to list labels in the keystore:
gsk8capicmd_64 -cert -list all -db keystore.p12 -stashed
Common label problems
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
64/84
2015 IBMCorporation
64 March 26, 2015
p
Don't create the same label multiple times, or re-create a label with a namealready used
Ex. Create A, delete A, then re-create A
Ex. Create label A in keystore 1, create label A in keystore 2, then backupdatabase using keystore 1, and restore using keystore 2
They might have the same label, but will have a different key. DB2 candetect this:
FUNCTION: DB2 UDB, bsu security, sqlexDecryptDEK, probe:0
MESSAGE : ZRC=0x805C08F4=SQLEX_MASTER_KEY_FOR_LABEL_CHANGED "The key for the master key label has changed."
checksum: 3026379365
version: 1
masterKeyLabel: mylabel.mydb.myinstance.myserver
masterKeyLength: 32
Most keystore problems reported as SQL1728N Bad values for KEYSTORE_LOCATION Bad file permissions Password required to open keystore
Accessing Keystore without a stash file
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
65/84
2015 IBMCorporation
65 March 26, 2015
g y
When a stash file is not used, a password must be provided to db2start toopen the keystore
db2start open keystore using
Can be done after DB2 has started, it will just update the password
Similarly if the password changes, just re-issue db2start
Sent to each member that is started during db2start
Example: db2start db2 connect to mydb
Fails with SQL1728 RC 3 password is missing db2start open keystore using thepassword (note no db2stop) db2 connect to mydb succeeds
Note the error is only when we access the encrypted database
Db2start keystore password recovering from
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
66/84
2015 IBMCorporation
66 March 26, 2015
y p g
crashes For DPF and SD, DB2 makes a best effort to maintain the keystore password in
memory. If at least one member is active that knows the password, the system cancontinue running, as members will ask each other for the password (RPC). If allmembers that knew the password crash, a manual db2start will need to be issued toprovide the password
Restart automation like TSA does not have the password
Several options are provided to ensure password is not seen during psoutput, history etc.
db2start open keystore will prompt for password, in the same way CLP would promptfor password during connect
Interactive use
db2start open keystore PASSARG Passarg = fd:where password has been written to open pipe Passarg = filename:where the first line of the file contains the
password
Used for scripts/executables where prompting is cumbersome
Backup and Restore - errors
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
67/84
2015 IBMCorporation
67 March 26, 2015
$ db2 "backup db testdb compress comprlib 'libdb2encr.so' compropts 'Master KeyLabel=no_such_label'" ; SQL2062N An error occurred while accessingmedia "libdb2encr.so". Reason code: "1".
$ db2 "backup db testdb compress comprlib 'libdb2encr.so' compropts 'Cipher=AES:KeyLength=257:Master Key Label=label_mihai'" ;SQL2062N An error occurred while accessing media "libdb2encr.so". Reason code:"1".
2015-01-09-15.56.29.008456 Instance:miacob Node:000
PID:6131(db2bm.41.0 (TESTDB)) TID:3330271552 Appid:*LOCAL.miacob.150109205625
bsu security InitEncryption Probe:911 Database:TESTDB
ADM8013E The command or operation failed due to an error in the encryption or
compression library.
2015-01-09-15.59.59.878013 Instance:miacob Node:000
PID:6131(db2bm.152.0 (TESTDB)) TID:3300911424 Appid:*LOCAL.miacob.150109205957
bsu security InitEncryption Probe:911 Database:TESTDB
ADM8013E The command or operation failed due to an error in the encryption or
compression library.
Backup and Restore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
68/84
2015 IBMCorporation
68 March 26, 2015
2015-01-09-15.56.28.959004-300 I55540E2155 LEVEL: ErrorPID : 6131 TID : 46912963078464 PROC : db2syscINSTANCE: miacob NODE : 000 DB : TESTDBAPPHDL : 0-23 APPID: *LOCAL.miacob.150109205625AUTHID : MIACOB HOSTNAME: hotel51EDUID : 125 EDUNAME: db2bm.41.0 (TESTDB)FUNCTION: DB2 Common, Cryptography, cryptP12KSGetSecretKey, probe:479
MESSAGE : ECF=0x90000644=-1879046588=ECF_CRYPT_KEYSTORE_LABEL_NOT_FOUND The requested label does not exist
DATA #1 : unsigned integer, 4 bytes117DATA #2 : String, 13 bytesno_such_label
CALLSTCK: (Static functions may not be resolved correctly, as they are resolved to the nearest symbol) [0] 0x00002AAAB6215CAB /home/miacob/sqllib/lib64/libdb2osse.so.1 + 0x221CAB [1] 0x00002AAAB6215AE3 ossLog + 0xA3 [2] 0x00002AAAAF64328E cryptLogKMErrorString + 0x3E [3] 0x00002AAAAF643BDB _Z22cryptP12KSGetSecretKeyP26cryptPKCS12KeyStoreContextPKcPPhPjbb + 0x13B [4] 0x00002AAAB0248566 _Z26sqlexGetMasterKeyFromLabelPKctPtPhS1_bbP5sqlca + 0x1B6 [5] 0x00002AAAB025E11E _Z31sqlexFillOutDEKStorageForBackupttjmP15sqlexDEKStorageP20cryptBlockCipherInfoP5sqlca + 0x29E [6] 0x00002AAAB026693E _Z14InitEncryptionPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CB + 0x53E [7] 0x00002AAAB951000DInitCompression+ 0x5D [8] 0x00002AAAB03C49EF _Z22InitCompressionWrapperPv + 0x2F [9] 0x00002AAAB0D681C3 sqloInvokeInterruptibleFunction + 0x123 [10] 0x00002AAAB03C4AE2 _Z19InitCompressionCallPFiPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CBES1_S3_S6_ + 0x62 [11] 0x00002AAAB03ABB49 _Z24sqluBMInitComprFrameworkP14SQLU_BUFMAN_CB + 0x2C9 [12] 0x00002AAAB03A9A4E _Z10sqluBMInitP14SQLU_BUFMAN_CBP12SQLU_BAGT_CB + 0x19E
Backup and Restore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
69/84
2015 IBMCorporation
69 March 26, 2015
2015-01-09-15.59.59.865699-300 I84795E1813 LEVEL: ErrorPID : 6131 TID : 46912933718336 PROC : db2syscINSTANCE: miacob NODE : 000 DB : TESTDBAPPHDL : 0-26 APPID: *LOCAL.miacob.150109205957AUTHID : MIACOB HOSTNAME: hotel51EDUID : 178 EDUNAME: db2bm.152.0 (TESTDB)FUNCTION: DB2 UDB, bsu security, sqlexParseENCROPTSforBackup, probe:360
MESSAGE : ZRC=0x805C08F0=-2141452048=SQLEX_MASTERKEY_BAD_LENGTH "The command or operation failed because the master key does not match a supported key length."
DATA #1 : String, 29 bytesUnsupported option:Key Length
CALLSTCK: (Static functions may not be resolved correctly, as they are resolved to the nearest symbol) [0] 0x00002AAAB0265DEE _Z27sqlexParseENCROPTSforBackupijPcPtS0_PjS1_PP16MASTER_KEY_LABELP5sqlca + 0x73E [1] 0x00002AAAB02669AA _Z14InitEncryptionPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CB + 0x5AA
[2] 0x00002AAAB951000D InitCompression+ 0x5D [3] 0x00002AAAB03C49EF _Z22InitCompressionWrapperPv + 0x2F [4] 0x00002AAAB0D681C3 sqloInvokeInterruptibleFunction + 0x123 [5] 0x00002AAAB03C4AE2 _Z19InitCompressionCallPFiPK13COMPR_DB2INFOP12COMPR_PIINFOPP8COMPR_CBES1_S3_S6_ + 0x62 [6] 0x00002AAAB03ABB49 _Z24sqluBMInitComprFrameworkP14SQLU_BUFMAN_CB + 0x2C9 [7] 0x00002AAAB03A9A4E _Z10sqluBMInitP14SQLU_BUFMAN_CBP12SQLU_BAGT_CB + 0x19E [8] 0x00002AAAB03ACA91 _Z8sqlubbufP8sqeAgent + 0x351 [9] 0x00002AAAB0104AE8 _Z26sqleSubCoordProcessRequestP8sqeAgent + 0xE8 [10] 0x00002AAAADDC1464 _ZN8sqeAgent6RunEDUEv + 0xA44
[11] 0x00002AAAAF575067 _ZN9sqzEDUObj9EDUDriverEv + 0xF7 [12] 0x00002AAAAED61983 sqloEDUEntry + 0x303
Backup and Restore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
70/84
2015 IBMCorporation
70 March 26, 2015
db2 "restore db testdb encrlib 'libdb2encr.so' encropts 'show masterkey details'"
SQL2539W The specified name of the backup image to restore is thesame as the name of the target database. Restoring to an existingdatabase that is the same as the backup image database will causethe current database to be overwritten by the backup version. Do youwant to continue ? (y/n) y
DB20000I The RESTORE DATABASE command completedsuccessfully.
(Does not perform a restore)
Backup and Restore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
71/84
2015 IBMCorporation
71 March 26, 2015
/home/miacob/sqllib/db2dump:$ catTESTDB.0.miacob.DBPART000.20150109155924.masterKeyDetails
KeyStore Type: PKCS12 KeyStore Location: /home/miacob/sqllib/keystore.p12
KeyStore Host Name: hotel51.torolab.ibm.com
KeyStore IP Address: 9.26.120.67
KeyStore IP Address Type: IPV4
Encryption Algorithm: AES Encryption Algorithm Mode: CBC
Encryption Key Length: 192
Master Key Label: label_mihai
Backup and Restore
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
72/84
2015 IBMCorporation
72 March 26, 2015
db2 "restore db testdb encrlib 'libdb2encr.so' encropts 'master keylabel=label_mihai' encrypt master key labellabel_jack"
Note that at restore time we will try the labels used to encrypt thebackup image one by one if a label is not specified via 'encropts'.
Backup and Restore: sharing encrypted backups
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
73/84
2015 IBMCorporation
73 March 26, 2015
Scenario: take an encrypted backup on system A and restore it onsystem B (without sharing the master key label used to encrypt thesource database on system A)
Create a new master key label to be used for the backup:label4systemb
Extract the key from the keystore on system A, securely copyitto system B, import it into the keystore on system B.
Take the encrypted backup and specify 'master keylabel=label4systemb'via encropts
Copy the encrypted backup to system B Restore the encrypted backup on system B
Backup and Restore: sharing encrypted backups
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
74/84
2015 IBMCorporation
74 March 26, 2015
Common problem:the master key label used to encrypt the backup is notavailable in the keystore on the target system B.
How to diagnose: Look at the db2diag.log for the real error
(SQLEX_KEYSTORE_LABEL_DOES_NOT_EXIST) Use 'show master key details' via encropts on the restore command to
generate the .masterKeyDetails file in db2dump and find out the
master key label used to encrypt the backup and the location of thekeystore on the source system. Extract this key from the source system keystore, securely copy it to the
target system, import it into the keystore, re-run the restore.
Restore 'no encrypt' clause
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
75/84
2015 IBMCorporation
75 March 26, 2015
To ensure backup images containing encrypted databases are notinadvertently restored without encryption, this clause was introduced.
This is applicable to any database level images, not for tablespace (uses
existing db's setting) or snapshot restore (uses setting in image). Examples:
BAD -Note:sample does not exist prior to the restore (e.g. moving to new system)
db2 restore db sample taken at 20150110121447
SQL1743N The RESTORE command failed because the database in the backup image
is encrypted but the existing database on disk is not encrypted.
Note: Folks found the above wording confusing, changing to 'source db at the time of backup was
encrypted but the target database is not encrypted' in later FP.
GOOD -
db2 restore db sample taken at 20150110121447 no encrypt
DB20000I The RESTORE DATABASE command completed successfully.
Setting up HADR and encryption
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
76/84
2015 IBMCorporation
76 March 26, 2015
The primary hadr database may or may not be setup with database encryption and thestandby database can utilize different encryption settings. Note that when one is notencrypted an admin message will be produced to warn as such. o setup a standbydatabase, generally, you will be restoring into a new database, implying you need to
specify the desired encryption options at restore time, if this is not done, no encryptionwill be used on the standby database.
Recommend procedure for setting up HADR system:
PRIMARY:
- db2 update dbm cfg using keystore_name
- db2 create db sample encrypt ... master key label
- ... setup for hadr primary ...
- db2 backup db sample
STANDBY:
- db2 update dbm cfg using keystore_name
- db2 restore db sample encrypt ... master key label
- ... setup for standby primary
Key Rotation and HADR
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
77/84
2015 IBMCorporation
77 March 26, 2015
In this procedure it is important to first add the new master label in the standby's keystore and then proceed to add the new master label in the primary's key store, and onlythen carry out the key rotation operation. This ensures there is no scenario in which anarchived log with the new master key label is required on the standby prior to the
standby's key store having an entry for this new label.
STANDBY:
- Add new master key label to the key store on the standby database.
PRIMARY:
- Add new master key label to the key store on the primary database.
- CALL SYSPROC.ROTATE_MASTER_KEY('');
How can the keystores at the primary and standby be kept in sync: Automatically: Set up some file level synchronization mechanism such as
rsync or similar / or physically share the key. Manually: Add keys to both (just to standby first).
HADR Key Rotation Error Diagnostics
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
78/84
2015 IBMCorporation
78 March 26, 2015
Key Rotation on Standby happens asynchronously, but driven by key rotationon primary system.
If the key rotation on standby has failed, an ADM message is logged:
2015-01-12-15.55.23.398487 Instance:geoffrey Node:000
PID:17361(db2hadrs.0.0 (HADRDB)) TID:1065347392 Appid:none
High Availability Disaster Recovery hdrEdu::hdrEduS Probe:21719 Database:HADRDB
ADM12517E A master key rotation to label
"DB2_SYSGEN_geoffrey_HADRDB_2015-01-12-15.54.26" failed on the HADR standby
with zrc "-2141452059". The standby system disconnects to retry key rotation.
Extra diagnostics from db2diag.log messages to see cause of key rotationfailure. Most common is master key label not present in standby keystore.
HADR Monitoring flags
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
79/84
2015 IBMCorporation
79 March 26, 2015
Can check monitoring flags from either primary or standby systems throughdb2pd -hadr option:
HADR_STATE = REMOTE_CATCHUP_PENDING
HADR_FLAGS = STANDBY_RECV_BLOCKED STANDBY_KEY_ROTATION_ERROR
STANDBY_KEY_ROTATION_ERROR flag indicates that there has been ankey rotation error on the standby system and receiving of new HADR
messages has been blocked.
If problem is resolved within timeout period (30 mins), the systems will re-connect and HADR continues. Otherwise, HADR will shut down and usershave to restart HADR after issue is resolved.
HADR Common Errors
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
80/84
2015 IBMCorporation
80 March 26, 2015
Customer creates primary DB using automatically generated master keylabel.
Determine label using (db2pd -encr / table function, covered in later section) Extract from primary system's keystore. Import into standby system's keystore. Use this label when restoring backup to create standby database
Customer creates standby DB usingautomatically generated master keylabel
The standby will immediately drive key rotation as it detects primary is using adifferent label.
This will fail as the label does not exist on the standby site (hadr will retry
several times but after bring down the system). Add label and restart.
Tooling Changes (See SES for Details)
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
81/84
2015 IBMCorporation
81 March 26, 2015
Tools with encryption support db2pdlog db2fmtlog db2cklog
db2flsn db2LogsForRfwd db2UncompressLog db2ckbkp db2adutl
db2dart
Tools with encryption support
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
82/84
2015 IBMCorporation
82 March 26, 2015
The following new options are added to specify the keystore password(exact syntax may vary in different tools):
Keystore Password
|-+- -kspassword ---------+------ password ------+-------------------|
+- -kspassarg ----------+- fd:file_descriptor -+ + '- filename:file_name -+
+- -ksprompt-----------------------------------'
Only need to specify these options if the keystore password is notstashed.
These tools will use the keystore specified in the DBM CFGKEYSTORE_LOCATIONparameter. There's no way to specifyanother keystore file through the tools.
Run-time PD functions
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
83/84
2015 IBMCorporation
83 March 26, 2015
DB CFG Encrypted database to see if db is encrypted
ADMIN_GET_ENCRYPT_INFO()table function
New db2pd option -encryptioninfo (-enc)
db2pd -db dynam -encryptioninfo
Database Member 0 -- Database DYNAM -- Active -- Up 0 days 00:00:16 -- Date 2015-01-09-14.24.13.275668
Encryption Info:
Object Name: DYNAM
Object Type: DATABASE
Encyrption Key Info:
Encryption Algorithm: AES
Encryption Algorithm Mode: CBC
Encryption Key Length: 256
Master Key Label: DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58
Master Key Rotation Timestamp: 2015-01-09-14.20.59.000000
Master Key Rotation Appl ID: *LOCAL.geoffrey.150109192055
Master Key Rotation Auth ID: GEOFFREY
Previous Master Key Label: DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58
KeyStore Info:
KeyStore Type: PKCS12
KeyStore Location: /home/geoffrey/sqllib/keystore.p12
KeyStore Host Name: hotel80.torolab.ibm.com
KeyStore IP Address: 9.26.120.37
KeyStore IP Address Type: IPV4
-
7/21/2019 ExploringIBMDB2 EncryptionTechnology Marcin BasterIBM POLSKA
84/84
2015 IBMCorporation
84 March 26, 2015
THANK YOU