Post on 13-Apr-2022
Do you sleep well while your data’s at rest?
DB2 Native Encryption is the remedy!
Michael Tiefenbacher, ids-System GmbH
Session Code: CX2
Date and Time of Presentation
Platform: DB2 LUW
© Copyright by Michael Tiefenbacher
Session Objectives
• Introduction of the DB2 native encryption functionality
• Steps to encrypt databases including creating a keystore and
encrypting existing databases
• Encrypting backups for databases
• First experiences and results including size and performance
comparisons.
• Potential traps and lessons learned
2
© Copyright by Michael Tiefenbacher
Agenda
• Introduction
• Steps to encrypt databases
• Encrypt Backups
• First Experiences
3
© Copyright by Michael Tiefenbacher
Highlights
• Transparent for Applications
• No changes necessary
• For Backups and Online Databases
• At database level
• Characteristics
• Based on Public Key Cryptography Standard #12 (PKCS#12)
• NIST compliant use of cryptography (e.g. NIST SP 800 – 131)
• FIPS 140-2 verified encryption libraries
• Default encryption algorithm is AES 256
• Others possible (3DES or AES-128)
• Available wherever DB2 is available
4
© Copyright by Michael Tiefenbacher
What gets encrypted?
• All tablespaces
• All kinds of data (LOB, XML, etc.)
• Load copy and load files
• Transaction logs
• .bin dumpfiles
• Keys are kept encrypted in memory if not used
• NOT encrypted:
• Data being read by an application
• Exports
5
© Copyright by Michael Tiefenbacher
Product Information
• Native Encryption
• Introduced in DB2 10.5 FP5
• Announced 20. January 2015
• http://www-
01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/6/8
72/ENUSAP15-0026/index.html&lang=en&request_locale=en
• http://goo.gl/YQs9bF
• DB2 Encryption Offering before DB2 11.1
• Part of Advanced Editions and Express-C
• Optional component for ESE, WSE and Express
• In DB2 11.1 it is included!
6
© Copyright by Michael Tiefenbacher
Encryption Basics
• Symmetric Encryption
• Encryption and decryption with the same key
• Example: AES, 3DES
• Native Encryption ONLY uses symmetric algorithms because of the
improved performance and keeps the size of the data
• Asymmetric Encryption
• Public Key: encryption key
• Private Key: decryption key
• Example: RSA
7
© Copyright by Michael Tiefenbacher
2-Tier Encryption Model
• 1. Tier:
• DEK: Data Encryption Key
• This key is used to encrypt the data
• Is stored in the database and in the backup
• 2. Tier:
• The DEK gets encrypted itself with a Master Key (MK)
• This is called Envelope Encryption
• The MK is stored outside the database - in the PKCS12 keystore
• Only the DB2 instance owner should have read/write access to the
keystore
• Reason: if a key needs to be changed only the DEK needs to
be re-encrypted – but not all the data
8
© Copyright by Michael Tiefenbacher
Architecture
r
Data
Database
Keystore (PKCS12)
Level 1
DEK
DEK
MK
MK
DEK: Data Encryption Key
MK: Master Key
Level 2
File
stash
9
Stash File
Password
�������������H����b�شogd�{/�,�Sw�F�Y
“obfuscated“
Password
© Copyright by Michael Tiefenbacher
Global Security Kit
• GSKit: IBM Global Security Kit
• Gets installed with DB (sqllib/gskit)
• Libraries are used
• Command Line: gsk8capicmd_64
• Keystore
• Encrypted file which stores the encryption Master Keys
• Can also store certificates for SSL connections
• USER is responsible for Backup and securing this file
• Location suggestion: instance owner home directory
• For PureScale it need to be a shared location
• Not part of the DB2 backup – separation is important
USER is responsible for file backups !!!
© Copyright by Michael Tiefenbacher
Agenda
• Introduction
• Steps to encrypt databases
• Encrypt Backups
• First Experiences
11
© Copyright by Michael Tiefenbacher
Create a Keystore
./sqllib/gskit/bin/gsk8capicmd_64
-keydb
-create
-db keystore.p12
-pw IDSsystem_Michael
-strong
-type pkcs12
-stash
Password rules:
Mixed case letters, special characters min. 14
characters
CTGSK3048W The password is weak.
Path and add “_64“ if needed
Create keystore
Store password (encrypted)
drwxr-xr-x 2 db2inst2 dasadm1 4096 21. Feb 14:54 bin
-rw-r--r-- 1 db2inst2 dasadm1 0 21. Feb 16:24 db2
-rw------- 1 db2inst2 dasadm1 0 21. Feb 16:35 keystore.p12
-rw------- 1 db2inst2 dasadm1 129 21. Feb 16:35 keystore.sth
drwxrwsr-t 22 db2inst2 dasadm1 4096 21. Feb 15:04 sqllib
Delete shell history afterwards !!!
© Copyright by Michael Tiefenbacher
Adjust DB2 Configuration
• Instance Configuration
• Can be changed online
• Evtl. SQL1362W One or more of the parameters submitted for immediate
modification were not changed dynamically.
• But a terminate is enough
• KEYSTORE_TYPE:
• Before DB2 11.1: PKCS12
• DB2 11.1: Key Management Interoperability Protocol (KMIP) version 1.1
db2 update dbm cfg
using keystore_type pkcs12
keystore_location /home/db2inst2/keystore.p12
13
© Copyright by Michael Tiefenbacher
GSK Objects
• Master Key Label
• Identification for keys
• Use useful naming conversions
• Instance name and DB name should be included
• Default if label is created by DB2:
DB2_SYSGEN_<instance>_<database>_<timestamp>
• Is recorded in the log
• Master Key
• Is generated by DB2 (default)
• Can be provided – binary file
• DO NOT DELETE – once it got used!
• Can be needed for restores of older backups
14
© Copyright by Michael Tiefenbacher
Master Key
• Manually created Master Keys and Labels are needed for
• Encrypted backups of an unencrypted database
• If HADR is used – identical keys are needed for Primary and Secondary
• For backups – if additional keys are used to transfer it to a test
environment without disclosing the production keys
• Automatically created by DB2:
• at CREATE DATABASE
• Restoring into a new database
• Rotating keys (more later)
15
© Copyright by Michael Tiefenbacher
Create Master Key
• Can be created automatically at database creation time
• if MASTER KEY LABEL option is not used
• Needs to be created manually & needs to be specified for
creating encrypted backups of unencrypted databases
• In the Backup command
• or in the DB CFG
./sqllib/gskit/bin/gsk8capicmd_64
-secretkey
-add
-db keystore.p12
-stashed
-label mylabel
-file mysecretfile
Add a key
See next page
Naming concept is useful with instance and DB name
16
Needs to match the key store creation
© Copyright by Michael Tiefenbacher
Create Secret File
• File
• Needs to be binary
• With the size of the encryption key
• Should be as random as possible
• Remove it after use
dd if=/dev/urandom of=mysecretfile bs=32 count=1
chmod 600 mysecretfile
Output fileRandom generator 32 Byte = 256 Bit
17
© Copyright by Michael Tiefenbacher
Stashfile
• stores keystore password in an “obfuscated“ way
• Can automatically provide the password
• Stashfile (<keystore>.sth) must be accessible only for the
instance owner
• Encrypted databases are only accessible with the keystore
password
• Without stashfile
• password for the keystore needs to be specified when starting the
instance
db2start open keystore using <keystore-password>
db2start open keystore passarg filename:<file>
18
Needs same security
as the keystore itself!
© Copyright by Michael Tiefenbacher
Create Database – Standard
• in DB CFG
• Master Key is automatically added to keydb
db2 create db dbenc encrypt
db2inst2@sles11sp2:~> ll
…
-rw------- 1 db2inst2 dasadm1 3454 21. Feb 17:48 keystore.p12
-rw------- 1 db2inst2 dasadm1 129 21. Feb 16:48 keystore.sth
Encryption Library for Backup (ENCRLIB) = libdb2encr.so
Encryption Options for Backup (ENCROPTS) =
CIPHER=AES:MODE=CBC:KEY LENGTH=256
Encrypted database = YES
19
© Copyright by Michael Tiefenbacher
Create Database – Individually
• Encryption technique can be choosen individually
• Label identifies master key in keystore
db2 create db dbenc encrypt
cipher aes
key length 128
master key label mklabel
AES or 3DES
128, 168, 192, 256
If not specified it gets
created automatically,
If specified it has to
exist in advance
20
© Copyright by Michael Tiefenbacher
Encryption of Existing Databases
• Cannot be done inplace
• Can be achieved by restoring a database into a new one
db2 restore db sample from /diskb/backup taken at 20150221181051
into senc encrypt
DB20000I The RESTORE DATABASE command completed successfully.
…
Encryption Library for Backup (ENCRLIB) = libdb2encr.so
Encryption Options for Backup (ENCROPTS) =
CIPHER=AES:MODE=CBC:KEY LENGTH=256
Encrypted database = YES
21
© Copyright by Michael Tiefenbacher
Agenda
• Introduction
• Steps to encrypt databases
• Encrypt Backups
• First Experiences
22
© Copyright by Michael Tiefenbacher
Backup Encryption – Standard
• Depends on DB CFG encrlib and encropts
• If set every backup gets encrypted
• Is set automatically for encrypted databases
• Library:
• Unix: libdb2encr.so
• AIX: libdb2encr.a
• Win: db2encr.dll
• Library for Compression and Encryption
• Unix: libdb2compr_encr.so
• AIX: libdb2compr_encr.a
• Win: db2compr_encr.dll
• Defaults:
• Unencrypted database => Backup unencrpyted
• Encrypted database => Backup encrypted23
It is INDEPENDED of
the encryption of
the database
© Copyright by Michael Tiefenbacher
Backup Encryption
• Encryption of backups for unencrypted databases
• Prerequisite: Master key with master key label has to exist in the
keystore
• Option 1: ENCRLIB and ENCROPTS set in DB CFG
• durable default
• Option 2: Options ENCRLIB and ENCROPTS in BACKUP command
• Encryption of a single backup
24
© Copyright by Michael Tiefenbacher
Option 1: DB CFG – ENCRLIB
• ENCRLIB
• Only SECADM can configure it
• IMPORTANT: Therefore a database connection is necessary to change them
• otherwise SQL6112 RC 14
• Path to the encryption library
• Encryption: libdb2encr.so (Unix), libdb2encr.a (AIX), db2encr.dll (Win)
• Encryption & Compression: libdb2compr_encr.so (Unix),
libdb2compr_encr.a (AIX), db2compr_encr.dll (Win)
• If set backups are encrypted Path
Path is expanded
db2 "update db cfg for test
using encrlib /home/db2inst2/sqllib/lib64/libdb2encr.so"
…
Encryption Library for Backup (ENCRLIB) =
/opt/ibm/db2/V10.5/lib64/libdb2encr.so.1
25
© Copyright by Michael Tiefenbacher
Option 1: DB CFG – ENCROPTS
• ENCROPTS
• Only SECADM can change it
• IMPORTANT: Therefore a database connection is necessary to change
them - otherwise SQL6112 RC 14
• All parts are optional and are separated with “:“ • Structure:
Cipher=cipher-name::::Mode=mode-name::::Key Length=key-length::::Master Key Label=label-name-1...::::Master Key Label=label-name-n
•
• IfIfIfIf setsetsetset theytheytheythey will will will will bebebebe usedusedusedused• They cannot get overwritten by any options of the backup command
db2 "update db cfg for test using encropts 'Cipher=AES:Key
Length=256:Master Key Label=MKL_TestDB'"
Encryption Options for Backup (ENCROPTS) = Cipher=AES:Key
Length=256:Master Key Label=MKL_TestDB26
© Copyright by Michael Tiefenbacher
Option 1: Backup Command
…
Encryption Library for Backup (ENCRLIB) =
/opt/ibm/db2/V10.5/lib64/libdb2encr.so.1
Encryption Options for Backup (ENCROPTS) = Cipher=AES:Key
Length=256:Master Key Label=MKL_TestDB
Encrypted database = NO
db2 backup db test to /diskb/backup
27
Only for Backups -
does not relate to the
database itself!
© Copyright by Michael Tiefenbacher
Option 2: Backup Command
…
Encryption Library for Backup (ENCRLIB) =
Encryption Options for Backup (ENCROPTS) =
Encrypted database = NO
28
db2 "backup db sample to /diskb/backup encrypt
encrlib '/home/db2inst2/sqllib/lib64/libdb2encr.so'
encropts 'Master Key Label=MKL_SampleDB'"
Will only work with
no encryption
settings in the DB CFG
mind the quotes
© Copyright by Michael Tiefenbacher
Check Backup – db2ckbkpdb2ckbkp -h /diskb/backup/DBENC.0.db2inst2.DBPART000.20150221181128.001
=====================
MEDIA HEADER REACHED:
=====================
Server Database Name -- DBENC
Server Database Alias -- DBENC
…
Backup Mode -- 0 (Offline)
Includes Logs -- 0 (No)
Compression -- 2 (Encrypted)
Backup Type -- 0 (Database-level)
…
Backup Buffer Size -- 4460544 (1089 4K pages)
Number of Sessions -- 1
Platform -- 0x1E (Linux-x86-64)
Encrypt Info Flags -- 0x1
Source DB was encrypted
The proper image file name would be:
DBENC.0.db2inst2.DBPART000.20150221181128.001
[1] Buffers processed: ############################
Image Verification Complete - successful.
or 4 (User Defined Library)
Will be changed
in FP 6
References
the database
– not the
backup
Compression and encryption are
both backup libraries
29
© Copyright by Michael Tiefenbacher
Changing Passwords
r
Data
Database
Keystore (PKCS12)
Level 1
DEK
DEK
MK
MK
DEK: Data Encryption Key
MK: Master Key
Level 2
File
30
Stash File�������������H����b�شogd�{/�,�Sw�F�Y
DEK cannot
be changed
Password to keystore
can be changed
with gsk8capicmd
MK can be
“rotated“
© Copyright by Michael Tiefenbacher
Rotate Master Key
• ADMIN_ROTATE_MASTER_KEY procedure
• LABEL can be specified
• Otherwise the default is used
• Master Key Label has to exist in keystore
• DPF: alle partitions have to be active
db2 connect to dbenc
db2 "call admin_rotate_master_key('MKL_dbencDB')"
Value of output parameters
--------------------------
Parameter Name : LABEL
Parameter Value : MKL_dbencDB
Return Status = 0
31
It is the Master
Key NOT the
password of the
keystore
© Copyright by Michael Tiefenbacher
Change Keystore Password
• gsk8capicmd_64 with “-changepw“ option
• -db <keystore> is needed
• -stash is needed if keystore has been created
with this option
• Will prompt for the current password
• alternatively “-pw“ could be used
./sqllib/gskit/bin/gsk8capicmd_64 -keydb -changepw
-db keystore.p12 -new_pw IDS_Michael –stash
32
Important: Backup keystore & stash file and document the change!
© Copyright by Michael Tiefenbacher
Encryption Info
• ADMIN_GET_ENCRYPTION_INFO table function
• Returns information about encryption
• Encryption algorithm
• Keystore information
• Rotation time
• etc.
• db2pd with -encryptioninfo option
db2 select * from table(admin_get_encryption_info())
33
db2pd –d db2encr -encryptioninfo
© Copyright by Michael Tiefenbacher
Restore
• Restore of an encrypted database
• The ENCRYPT options needs to be specified with the RESTORE command
• Other encryption algorithm can be specified
• Error message is returned otherwise
• In case a encrypted database should be restored unenrypted the
“NO ENCRYPT“ option has to be specified
db2 restore db dbenc from /diskb/backup/ taken at … encrypt
34
© Copyright by Michael Tiefenbacher
Restore Option – Part 1/3
• Restore command was extended
• Option: SHOW MASTER KEY DETAILS
• Extracts encryption details to a file in the db2dump folder
• Only header information is read from the backup image
35
This option is NOT part of the RESTORE syntax (in KC) as it depends on the
library used – and it only works in the default db2 native encryption library
m1
Folie 35
m1 mitiids01; 15.07.2015
© Copyright by Michael Tiefenbacher
Restore Option – Part 2/3
ATTENTION:
• The notification that the database gets overwritten
can be answered with yes – it will not be overwritten!
• If it is a non-existent database a skeleton database will be created
that need to be dropped afterwards
• If Backup image in NOT encrypted your database gets overwritten!
db2 "restore db dbenc from /diskb/backup/ taken at
20150222145226 encropts 'show master key details' “
SQL2539W The specified name of the backup image to restore is
the same as the name of the target database. Restoring to an
existing database that is the same as the backup image database
will cause the current database to be overwritten by the backup
version.
Do you want to continue ? (y/n) y
DB20000I The RESTORE DATABASE command completed successfully.
36
© Copyright by Michael Tiefenbacher
Restore Option – Part 3/3
db2inst2@sles11sp2:~/sqllib/db2dump> more
DBENC.0.db2inst2.DBPART000.20150222145226.masterKeyDetails
KeyStore Type: PKCS12
KeyStore Location: /home/db2inst2/keystore.p12
KeyStore Host Name: sles11sp2.site
KeyStore IP Address: 127.0.0.2
KeyStore IP Address Type: IPV4
Encryption Algorithm: AES
Encryption Algorithm Mode: CBC
Encryption Key Length: 256
Master Key Label: DB2_SYSGEN_db2inst2_DBENC_2015-02-21
-17.48.54
37
© Copyright by Michael Tiefenbacher
HADR Support
• Primary and standby will be encrypted
• There is a possibility to encrypt only one but this could be problematic
• Secondary is created with a restore of the primary backup – with
encryption option
• MK needs to be created manually and needs to be imported in
both keystores
• Via export and import
38
Primär-Server
Standby-ServerHADR HADR
TCP/IP
© Copyright by Michael Tiefenbacher
PureScale Support
• Keystore must be accessible for all members
• shared location
• PureScale and DPF can communicate the password internally
39
© Copyright by Michael Tiefenbacher
Agenda
• Introduction
• Steps to encrypt databases
• Encrypt Backups
• First Experiences
40
© Copyright by Michael Tiefenbacher
Further Effects
• Database size is (nearly) unchanged
• Backup size is a little bigger (according to the lab)
• Backing up buffers get encrypted and this could lead to a small increase
in size – up to the block size of the algorithm (16 bytes for AES).
• => see tests
• BACKUP of an encrypted database
• The COMPRESS option will no longer work
• Attention: no feedback in the command
• No visible annotation in the db2diag.log
• In the command no other library can be specified if ENCRLIB is
configured in DB CFG
• SQL2459 RC1
• If for example if libdb2encr.so is configured the backup cannot be
compressed41
© Copyright by Michael Tiefenbacher
Hardware Support
• Performance optimization through HW support
• Difference is about 5 %
• Only Intel is supported so far
• Following CPUs support AES encryption
• Intel
• Intel Westmere based processors, specifically:
• Intel Westmere-EP (Xeon 56xx) processors.
• Intel Clarkdale processors (except Core i3).
• Intel Arrandale processors (except Core i3, Core i5-4XXM).
• Intel Sandy Bridge processors:
• Desktop: all except Pentium, Celeron, Core i3
• Mobile: all Core i7 and Core i5.
• Intel Ivy Bridge processors - All i5, i7, Xeon and i3-2115C only.
• Intel Haswell processors. (all except i3-4000m, Pentium and Celeron)
42
© Copyright by Michael Tiefenbacher
Hardware Support
db2inst1@test-verschluesselung:~> cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 44
model name : Intel(R) Xeon(R) CPU L5630 @ 2.13GHz
stepping : 2
cpu MHz : 1600.000
cache size : 12288 KB
…
flags : fpu vme de pse tsc msr pae mce cx8 apic
…
nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl
vmx smx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 sse4_2
popcnt aes lahf_lm ida arat tpr_shadow vnmi flexpriority
ept vpid
43
© Copyright by Michael Tiefenbacher
Hardware Support – db2diag.log
2015-08-11-18.00.37.527985+120 I218912E683 LEVEL: Info
PID : 18079 TID : 140070820505344 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB : DBE
APPHDL : 0-7 APPID: 192.168.30.27.63432.150811160037
HOSTNAME: test-verschluesselung
EDUID : 24 EDUNAME: db2agent (DBE) 0
FUNCTION: DB2 Common, Cryptography, cryptContextRealInit, probe:1271
DATA #1 : String, 37 bytes
CPU flags(string): 0x029ee3ffffebfbff
DATA #2 : String, 37 bytes
CPU flags(Uint64): 0x029EE3FFFFEBFBFF
DATA #3 : String, 32 bytes
Intel AES-NI capability detected
DATA #4 : String, 37 bytes
Intel RDrand capability not available
44
with diaglevel 4
AES support is reported
in the db2diag.log on
activation of the
database
© Copyright by Michael Tiefenbacher
Test – Size & Backupsize
Case Unencrypted DB Encrypted DB Difference
1 GET_DBSIZE_INFO 22665424896 Bytes
21,11 GB
22665424896 Bytes
21,11 GB
0%
1 Backup uncompressed 22721929216 Bytes
21,16 GB
22705147904 Bytes
21,15 GB
0,08%
1 Backup compressed 10253414400 Bytes
9,55 GB
10354102272 Bytes
9,64 GB
0,98%
2 GET_DBSIZE_INFO 89,3 GB 89,3 GB 0%
2 Backup uncompressed 89,21 89,12 0,1 %
• Database with benchmark tables and data
• Scenario 1: Regular and BLU tables
• Scenario 2: Regular tables
45
© Copyright by Michael Tiefenbacher
Test – Performance
Case Operation Unencrypted DB Encrypted DB Difference
1 CREATEs 00:00:12 00:00:12 0%
1 Load 06:55:30 07:08:09 +3,1%
1 Runstats 00:28:30 00:29:50 +4,5%
1 Selects 02:34 02:50 +10,4%
• TPC-H Benchmark 100GB
46
© Copyright by Michael Tiefenbacher
Test – Performance
• TPC-H Benchmark 100GB
47
00:00:00
00:28:48
00:57:36
01:26:24
01:55:12
02:24:00
02:52:48
03:21:36
03:50:24
without AES support with AES support
SQL Runtime
DB unencrypted DB encrypted
© Copyright by Michael Tiefenbacher
Test – Performance
48
0
1000
2000
3000
4000
5000
6000
7000
8000
0
10
20
30
40
50
60
70
80
90
100
01
:59
02
:26
02
:53
03
:20
03
:47
04
:14
04
:41
05
:08
05
:35
06
:02
06
:29
06
:57
07
:24
07
:51
08
:18
08
:45
09
:12
09
:39
10
:06
10
:33
11
:00
11
:27
11
:54
12
:21
12
:48
13
:15
13
:42
14
:09
14
:36
15
:03
15
:30
15
:57
16
:24
16
:51
17
:18
17
:45
18
:12
18
:39
19
:06
19
:33
20
:00
20
:27
20
:54
21
:21
21
:48
22
:15
22
:42
23
:09
23
:36
Dis
k x
fers
usr
%+
sys% System Summary test-verschluesselung 03.10.2015
CPU% IO/sec
© Copyright by Michael Tiefenbacher
Debugging
• Error messages are often quite unspecific
• SQL6112N The configuration parameter was not updated because the
resulting configuration parameter settings would not be valid. Reason
code "14“
• => Connect to DB is missing, i.e. to change ENCRLIB
• Look into db2diag.log for error messages
• i.e. something is wrong with the libraries
• Error messages more specific here
• In case of a support case IBM ensured that the master key
never needs to be sent
• If needed encrypted debug files will be decrypted with a separate local
tool and sent unencrypted
49
© Copyright by Michael Tiefenbacher
Further Information
• Knowledge Center
• http://www-
01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.lu
w.admin.sec.doc/doc/t0061766.html?lang=en
• GS User Guide
• http://www-01.ibm.com/support/docview.wss?uid=swg27038855
• Walid Rjaibi about Native Encryption
• http://www.ibmbluhub.com/wr_db2-native-encryption-video/
• IDUG Tech Talk by Greg Stager
• http://www.idug.org/p/cm/ld/fid=582
50
© Copyright by Michael Tiefenbacher
Further Information
• Encrypting Data Values in DB2 Universal Database
• http://www.ibm.com/developerworks/data/library/techarticle/benfield/
0108benfield.html
• I encrypted my database! How do I manage my master keys
now?
• http://www.ibm.com/developerworks/data/library/techarticle/dm-
1504-master-encrypted-keys/index.html
• DB2 Nightshow #157: DB2 LUW 10.5 FP5 New Encryption with
George Baklarz
• http://www.dbisoftware.com/blog/db2nightshow.php?id=608
• Presentation also available as PDF with lots of annotations an extra
slides.
51
Michael Tiefenbacherids-System GmbH
m.tiefenbacher@ids-system.de
Twitter: globomike
CX2
Do you sleep well while your data’s at rest?DB2 Native Encryption is the remedy!
Please fill out your session
evaluation before leaving!
© Copyright by Michael Tiefenbacher
Further Command Examples
• List master keysgsk8capicmd_64 -cert -list -db keystore.p12 -stashed
• Export and import master keysgsk8capicmd_64 -cert -export -db keystore.p12 -stashed
-label MKL_db -target ~/db2/exportedkey.p12 -target_type pkcs12 -
target_pw Str0ngPassw0rd
gsk8capicmd_64 -cert -import -db keystore.p12 -stashed -pw
Str0ngPassw0rd -label MKL_db -target ~/db2/db2keys.p12 -
target_type pkcs12
53