Using DB2’s New Native Encryption Feature

You may also like...

18 Responses

  1. krishna says:

    Thanks for the detailed post.I am want know reason behind dropping and restoring the database.

    • Ember Crooks says:

      It is required for enabling native encryption on an existing databsae. I don’t know IBM’s reasoning behind this methodology. They decided to do it that way instead of providing a utility to encrypt the database.

  2. Srini says:

    Do we still have to use the encrypt scalar function to mask data? The data is visible unless you do that ( though the database is encrypted).

    • Ember Crooks says:

      Right – this is encryption of data at rest. You do not have to use the encrypt scalar function. Any privileged database user will be able to see the un-encrypted data (db2 decrypts it for them), but if someone tries to just scrape the files from disk, they will not be able to read them with Native Encryption.

  3. Srini says:

    Thanks Ember

  4. Masheed says:

    Thank you for the post. Please let me know, if I only want to take a backup of existing database. Will I drop and restore the database with encrypt option OR we can take backup with out dropping existing database.

    • Ember Crooks says:

      You have to drop the database in order to enable database level encryption.

      • Masheed says:

        Ember, we want to take encrypted database backup only. We do not want to encrypt the database.

        For taking encrypted database backup will database to be dropped or we can take encrypted backup with out dropping and restore database.

        • Ember Crooks says:

          I have not tested an encrypted backup on a non-encrypted database. I know it is possible, and you should not have to drop the database to do it.

          • Masheed says:

            When I try to update parameter ENCROPTS for existing non encrypted database it give me an error:

            $ db2 update database cfg for testdb using ENCROPTS ‘CIPHER=AES:MODE=CBC:KEY LENGTH=256’

            SQL0104N An unexpected token “LENGTH=256” was found following “”. Expected tokens may include: “ALT_COLLATE”. SQLSTATE=42601

          • Ember Crooks says:

            Do you have the right kind of single quote at the beginning and end of your value? It looks like one of Word’s modified quotes at the beginning.

          • Masheed says:

            Yes, I have re-execute the command, but still have same error.

            $ db2 update database cfg for testdb using ENCROPTS ‘CIPHER=AES:MODE=CBC:KEY LENGTH=256’

            SQL0104N An unexpected token “LENGTH=256? was found following “”. Expected tokens may include: “ALT_COLLATE”. SQLSTATE=42601

          • Ember Crooks says:

            I agree with you that it does not work, and don’t know the proper syntax to make it work. I’m not finding it myself. Are these really things you need to specify there if you have specified the keystore location? In examples I can find, I only see those specified on the backup/restore database command, not in the db cfg.

          • Masheed says:

            I have add ENCROPTS option in backup command as well.

            db2 BACKUP DATABASE testdb TO /db2data_1/BACKUP ENCRYPT ENCRLIB ‘libdb2encr.so’ ENCROPTS ‘Cipher=AES:Key Length=256’

            SQL0104N An unexpected token “Length=256” was found following “”.
            Expected tokens may include: “INCLUDE”. SQLSTATE=42601

          • Ember Crooks says:

            What fixpack of 10.5 are you on?

  5. Masheed says:

    Fix pack 5

  6. srikanth says:

    Thanks for your post..Its is very useful ..

    I’ve planned to implement DB2 native security encryption in my environment which is (PRIAMRY+STANDBY+AUXILIARY STANDBY).

    But Im worried about performance , can you just let me know how it would be impact on DB performance.

    Kindly share me implemented steps for HADR enev In case if you have already tested.

Leave a Reply

Your email address will not be published. Required fields are marked *