Options to Encrypt Data at Rest in DB2

You may also like...

5 Responses

  1. Brandon Mason says:

    Ember/Michael,

    Thank you for this post. This was a nice overview of the encryption options, and very helpful. I do have a question, if either of you care to address it:

    Are the ENCRYPT/DECRYPT functions you speak of the same functionality DB2 uses if I create the database with the “encrypt” option? I have a situation where we need to encrypt a card number in a new database. So, I’ve set up a keystore, etc. I’d like to just create the database with encryption and feel that satisfies the at rest enryption requirement. Any guidance is apprecieated.

    Thanks,
    Brandon

    • Ember Crooks says:

      The encrypt option on database creation is brand new with DB2 10.5 Fixpack 5, and was only announced last week. It is different than the options in this blog post in that it represents encryption that is transparent to all applications and that applies both to backups and to the database itself. I don’t have any experience with it yet, but the main questions I’d be asking are:

      1. Is all data encrypted? Including transaction logs, temporary tables that spill to disk, etc?
      2. What does changing the encryption key look like? From what I hear, there is a Data Encryption Key(DEK) that is basically never changed that is encrypted with a Master Key(MK). The MK is easy to change online, but I believe changing the DEK would require a backup and restore or other offline operation
      3. What is the impact on performance? When is data decrypted? Are more CPU resources required?
  2. Brandon Mason says:

    And yes, I know how to spell “guidance”. Oops.

  3. Brandon Mason says:

    Oh, man. Now I’m seeing typos all over the place (“appreciated”, “encryption”). Lets just call that a symptom of my brain not able to take any more, after much reading up on encryption. Thanks again!

  4. Very good mentioning of how DB2 encrypts. I was trying to compare the features and benefits of database encryption vs a third party encryption solution, and this article addresses all of my concerns very well.

    Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *