Transcript Encryption

IBM Software
IBM DB2 Native Encryption
for Linux Unix and Windows
June 9, 2015
Burt Vialpando
George Baklarz
© 2015 IBM Corporation
IBM Software
Data Encryption in the Industry
© 2015 IBM Corporation
IBM Software
Encryption is more than just good business
Often times it is the law
Korea:
3 Acts for Financial
Data Privacy
Russia:
Computerization & Protection of Information
/ Participation in Int'l Info Exchange
Japan:
Guidelines for the
Protection of Computer
Processed Personal Data
New Zealand:
Privacy Act
United Kingdom:
Data Protection
Act
EU:
Protection
Directive
Switzerland:
Federal Law on
Data Protection
Israel:
Protection of
Privacy Law
South Africa:
Promotion of Access
to Information Act
3
Philippines:
Secrecy of Bank
Deposit Act
Canada:
Personal Information Protection
& Electronics Document Act
China
Commercial
Banking Law
Pakistan:
Banking Companies
Ordinance
India:
SEC Board of
India Act
Indonesia:
Bank Secrecy
Regulation 8
Singapore:
Monetary Authority of
Singapore Act
Vietnam:
Banking Law
Hong Kong:
Privacy Ordinance
Australia:
Federal Privacy
Amendment Bill
Poland:
Polish
Constitution
Germany:
Federal Data Protection
Act & State Laws
Taiwan:
Computer- Processed
Personal Data
Protection Law
USA:
Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:
E-Commerce Law
Brazil:
Constitution, Habeas Data &
Code of Consumer Protection &
Defense
Argentina:
Habeas Data Act
Chile:
Protection of
Personal Data Act
IBM DB2 Native Encryption for Linux Unix and Windows
Colombia:
Political Constitution –
Article 15
© 2015 IBM Corporation
IBM Software
Why Use Data Encryption?
General requirements
1. Meet compliance requirements
 Industry standards such as PCI DSS
 Regulations such as HIPAA
 Corporate standards
2. Protect against threats to online data
 Users accessing database data outside the scope of the DBMS
3. Protect against threats to offline data
 Theft or loss of physical media
DB2 native encryption offers many advantages:
• Reduces cost of security and compliance
• Eliminates the need for third-party add-on tools
• Is easily consumed by DB2 bundlers such as ISVs
• Runs wherever DB2 LUW runs
4
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
The Data Encryption Key
(Symmetric example shown)
● The sequence that controls the operation of the cryptographic algorithm
● The number of bits in a key is called key length
● The length of the key reflects the difficulty to decrypt a plaintext encrypted
with that key
● A 256 bit key has 2256 distinct values in its key space
Key
Plaintext
5
Key
Encryption
Ciphertext
Encryption
IBM DB2 Native Encryption for Linux Unix and Windows
Plaintext
© 2015 IBM Corporation
IBM Software
Symmetric Encryption Algorithm
Definition
● A cryptographic algorithm that uses the same key for both encryption and
decryption
● AES and 3DES are the most famous symmetric encryption algorithms
Encryption
Original Message
Secret Key
Encrypted Message
Secret Key
Original Message
Decryption
Encrypted Message
6
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Asymmetric Encryption Algorithms
● A cryptographic algorithm that uses one key for encryption and another key
for decryption
 The encryption key is called a public key
 The decryption key is called a private key
 The public key and private key are different but mathematically related
● It is not feasible to derive the private key from the public key in any
reasonable time
● RSA, ECC, and Diffie-Hellman are the most famous examples
Public Key
Plaintext
7
Encryption
Private Key
Ciphertext
Encryption
IBM DB2 Native Encryption for Linux Unix and Windows
Plaintext
© 2015 IBM Corporation
IBM Software
Approximate Equivalence in Security Strength
AES vs. RSA and ECC
Symmetric Key
Length (AES)
Asymmetric Key
Length (RSA)
Asymmetric Key
Length (ECC)
-
1024
2048
160
224
128
192
256
3072
7680
15360
256
384
512
DB2 uses AES encryption which requires less bits for
similar encryption strengths and performs better as well.
8
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Encryption Key Management
Concepts
● Refers to the secure management of keys during their lifecycle
 Creation, distribution, expiration, deletion, backup, restore, etc.
 Protection of encryption keys including access control and encryption
● Two main approaches
 Public Key Cryptography Standard (PKCS) #12: A password-protected
keystore with a format for storing encryption keys
 e.g., IBM Global Security Kit (GSKit) PKCS#12 keystore
 Enterprise key management systems: A dedicated server for centrally
managing encrypting keys across the enterprise
 e.g., IBM Security Key Lifecycle Manager (ISKLM)
● The keystore or enterprise key manager is where master keys are
typically stored
DB2 10.5 supports a local keystore using the IBM Global Security Kit
(GSKit) which is a common component that is used by a number of
IBM products for its cryptographic and SSL/TLS capabilities
9
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Encryption Key Wrapping
Concepts
● The process of encrypting one key with another key
● The key encrypting key is typically referred to as a master key
● The master key is typically stored separately from the data system
● The top drivers for this 2-tier encryption approach are:
1. Security:


The master key is stored outside the data system
Compromise of the data system does not mean compromise of the data
2. Performance:
 Complying with key rotation requirements does not mean re-encrypting
the actual data
 Only the data encryption key is re-encrypted with a new master key
DB2 implements the industry standard 2-tier model
• The data is encrypted with the Data Encryption Key (DEK)
• The DEK is encrypted with a Master Key (MK)
10
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Encryption Terms Recap
Encryption Term
Definition
Cryptographic encryption
algorithm
A mathematical function that is used in the encryption and decryption
processes. Advanced Data Encryption Standard algorithm (AES) and
Triple Data Encryption Standard algorithm (3DES) are examples.
Public Key Cryptographic
Standard (PKCS):
A set of cryptographic standards devised by the RSA Laboratories.
PKCS#12
Public Key Cryptography Standard #12 - the standard used by DB2
native encryption.
Data Encryption Key (DEK)
Key with which end user data is encrypted which includes table space,
transaction log and backup image data.
Keystore
Also called a key database. A repository for storing cryptographic
objects such as encryption keys.
Master Key (MK)
Encrypting key used to protect the data encryption key.
Master Key Label
The master key’s reference name.
Cleartext
Also called plaintext. The data in a natural format which could be
readable to a hacker.
Ciphertext
The data changed to be unreadable for anyone except those who have
the keys.
11
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Overview and Enabling
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Key Points
● DB2 Native Encryption is part of the DB2 database server core capabilities
 As of version 10.5 - Fix Pack 5
 Runs on all 64-bit platforms: AIX, HP-UX, Linux, pLinux, zLinux, Solaris, Windows
 Exploits available HW acceleration, e.g. Intel AES-NI
● Provides a cost-effective encryption compliance method
 As an advanced edition feature or available separately
 Requires no hardware or software changes
 Provides a secure key management solution
● Protects against physical theft of disk devices as well as backup images
 Using Public Key Cryptography Standard #12 (PKCS#12)
● Requires no schema or application changes
 Is transparent to the end users and applications (requires no changes)
● Compliant, e.g.
 NIST SP 800-131 compliant cryptographic algorithms
 Uses FIPS 140-2 certified encryption
13
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption Scope
How it works
● The engine encrypts the data before it calls the file system to write to disk
 Current and future data is protected
 A decryption occurs during reads from the file system
● Data is protected in:
 Table space containers (all types and all data, including LOB, XML, etc.)
 Transaction logs
 LOAD copy and LOAD staging tables
 Dump files
 Backup images
● The data encryption is done using a data encryption key
 This DB key is stored and managed in the database itself
● A master encryption key protects the data encryption key
 This master key is stored outside the database in a keystore
14
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Architectural overview
Global Security Kit
DB2 instance
gsk8capicmd
DBM CFG
parms
DB2 database
DB CFG
parms
Keystore
Master keys
Stash
file
Encryption and decryption process
Password
Table space
containers
Transaction
logs
LOAD
copy
Dump files
Compression
libraries
Backup
images
BV
15
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Master Key and Data Key Relationships
A Keystore is created locally and has a strong password associated with it:
The keystore must be available to the DB2
instance in order to get the Master Keys
required for encryption and decryption.
PassW0rd
Keystore
Master Keys with Labels are created in order to encrypt database keys:
Key Label
Key
SECRET.DB2INST1.2015.02.01
Keystore
DB2 can generate Master Keys
and Labels automatically for the
user. Creating your own labels
will require that you generate
an encryption key.
Database Keys are generated internally by DB2 and are used to encrypt the database:
Key Label
DB2 Key
Key
SECRET.DB2INST1.2015.02.01
The DB2 encryption key is itself
encrypted within the database
image by using the Master Key
found within the keystore.
16
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
2-Tier Encryption Model
Using Master Key and Data Key
Password Protected Keystore
Stash File
Obfuscated
password
Master Key and Label Pairs
PassW0rd
or
SECRET.DB2INST1.2015.02.01
User manual
input
SECRET.DB2INST1.2015.03.01
SECRET.DB2INST1.2015.04.01
…
Encrypts
Encrypted Database
(DB2 Key Included)
DB2 Key
Encrypts
Encrypted
DB2 Key
17
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Enabling Native Encryption on a New Database
Four steps
DB2 Native Encryption
setup steps
Commands
Set the paths for the Global
Security Kit (GSKit)
export LD_LIBRARY_PATH=...
Create a Keystore (using the
GSKit command utility)
gsk8capicmd_64 -keydb –create -db [keystore]...
Configure DB2 instance with
the Keystore information
update dbm cfg using
keystore_type [keytype]
keystore_location [keypath]...
Create the DB2 database
using encryption
create db [dbname] encrypt...
18
export PATH=...
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Enabling Native Encryption on an Existing Database
Six steps
DB2 Native Encryption
setup steps
Commands
Set the paths for the Global
Security Kit (GSKit)
export LD_LIBRARY_PATH=...
Create a Keystore (using the
GSKit command utility)
gsk8capicmd_64 -keydb –create -db [keystore]...
Configure DB2 instance with
the Keystore information
update dbm cfg using
keystore_type [keytype]
keystore_location [keypath]...
Back up the database
backup db [dbname]...
Drop existing database
drop db [dbname]
Restore* the database with
encryption
restore db [dbname] encrypt ...
export PATH=...
* You can have on-line off-line backups and use RESTORE, RESTORE with ROLLFORWARD or RECOVER
19
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Encryption Options
● The ENCRYPT keyword has three options
 CIPHER (the type of encryption)
 AES or 3DES
 AES is the default if CIPHER is not specified
 AES is implemented in some hardware so potentially more efficient to use
 KEY LENGTH
 For AES encryption this can be 128, 192, or 256 bits
 Default length is 256 for AES, and it can only be 168 for 3DES
 MASTER KEY LABEL
 The name of the master key found within the keystore that will encrypt the
database encryption key
● A master key label is optional


20
DB2 will generate a master key if one is not supplied on the CREATE
DATABASE command
The name of the generated master key is:
DB2_SYSGEN_<instance>_<database>_<timestamp>
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Creating a Keystore
gsk8capicmd
With the GSKit utility: gsk8capicmd*
"*
"
"
"
"
"
"
"
"
"
"
"
"
"*
=============================================================== *"
Create a GSKit Key Database
"
--------------------------------------------------------------- "
gsk8capicmd_64 -keydb -create -db ~/db2/ccardskeystore.p12
"
-pw Str0ngPassw0rd -type pkcs12 -stash -strong;
"
"
-keydb = object is a key database
"
-create = action is create
"
-db
= keystore database name to be created
"
-pw
= password to be stored
"
-type
= use pkcs12 encryption
"
-stash = stash password after creation in a stash file
"
-strong = check to make sure a strong password is used
"
=============================================================== *"
* Native DB2 encryption is only supported for 64-bit platforms, thus the command shown used will have the extension _64
21
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Stash File Considerations
● When the -stash option is specified during the create action, the keystore
password is stashed into a file with the following name:
<key_store_name>.sth
● A stash file is used as an automatic way of providing a password
 When accessing a keystore, DB2 will first check for the existence of a stash file
 If a stash file exists, the contents of the file will be decrypted and used as input
for the password
● The stash file can only be read by the file owner
 Not stashing the password enhances security if the instance owner account
becomes compromised
 This additional security must be weighed against any requirements that the
DB2 instance can start without human intervention
 If the password is not stashed, you cannot access an encrypted database until
you provide the keystore password.
 You can manually open a keystore by using this command (even if the instance
is already started):
db2start open keystore
22
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Maintenance Considerations
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Using table function: sysproc.admin_get_encryption_info
● This built-in function returns the encryption information from the database
SELECT MASTER_KEY_LABEL FROM
TABLE (SYSPROC.ADMIN_GET_ENCRYPTION_INFO())
● Encryption information returned from this function:
OBJECT_NAME
KEYSTORE_HOST
OBJECT_TYPE
KEYSTORE_IP
ALGORITHM
KEYSTORE_IP_TYPE
ALGORITHM_MODE
PREVIOUS_MASTER_KEY_LABEL
KEY_LENGTH
AUTH_ID
MASTER_KEY_LABEL
APPL_ID
KEYSTORE_NAME
ROTATION_TIME
KEYSTORE_TYPE
24
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Adding a Master Key Manually
To the existing Keystore
"*
"
"
"
"
"
"
"
"
"
"
"
"
"*
gsk8capicmd
=============================================================== *"
Create a Master Key
"
--------------------------------------------------------------- "
gsk8capicmd_64 -secretkey –add -db ~/db2/ccardskeystore.p12
"
-label secret.key.db1 –stashed
"
-file ~/db2/mysecretkeyfile;
"
"
-secretkey = indicates a new master key will be created
"
-add
= to add the key (vs. deleting it)
"
-db
= keystore database name (absolute path)
"
-label
= name of the master key label
"
-stashed
= use the stashed password to access the keystore
"
-file
= location of the AES key that will be used
"
=============================================================== *"
● Note: you can list the contents of your keystore with:
gsk8capicmd_64 –cert -list -db ~/db2/ccardskeystore.p12 -stashed
25
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Generating an AES Key
For a Master Key Label
● A secret key needs to be generated by the user before adding a master key
to the keystore
 The secret key is used to encrypt the database key
 The strength of the secret key has no relationship to the actual encryption that
takes place within the database
 Recommendation is to use the highest level of AES encryption (256) for the
database key (same as DB2)
 Overhead is insignificant since the database key is not frequently decrypted
● Generating a random key
 A key needs to be 16, 24, or 32 bytes wide
 Corresponds to 128, 192, or 256-bit AES keys
 On Linux, UNIX, and AIX use the following command to generate a 32-byte
random string (which represents a 256-bit AES key)
head –c 32 /dev/urandom >~/db2/mysecretfile
Linux
head –c 32 /dev/random >~/db2/mysecretfile
26
IBM DB2 Native Encryption for Linux Unix and Windows
UNIX
© 2015 IBM Corporation
IBM Software
Deleting a Master Key
From the existing Keystore
"*
"
"
"
"
"
"
"
"
"
"*
gsk8capicmd
=============================================================== *"
Delete a Master Key Label
"
--------------------------------------------------------------- "
gsk8capicmd_64 -cert –delete -db ~/db2/ccardskeystore.p12
"
-label secret.key.db1 –stashed
"
"
-cert –delete = to indicate that a master key will be deleted
"
-db
= keystore database name (absolute path)
"
-label
= name of the master key label to delete
"
-stashed
= use the stashed password to access the keystore "
=============================================================== *"
● CAUTION: It is a best practice to delete a master key only if it has never
been used. You always want to keep master keys that have been used if
you think you may need to get at the data that was encrypted with it.
27
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Exporting a Master Key
From the existing Keystore
"*
"
"
"
"
"
"
"
"
"
"
"
"
"
"
"*
gsk8capicmd
=============================================================== *"
Export a Master Key
"
--------------------------------------------------------------- "
gsk8capicmd_64 -cert –export -db ~/db2/ccardskeystore.p12
"
-label secret.key.db1 –stashed
"
-target /newpath/newkeystore.p12
"
-target_type pkcs12
"
-target_pw Str0ngPW001
"
"
-cert –export = to indicate that a master key will be exported
"
-db
= source keystore database name (absolute path)
"
-label
= name of the master key label to export
"
-stashed
= use the stashed password to access the keystore "
-target
= destination key database or file
"
"
=============================================================== *"
● Note: this allows you to move a master key from one keystore to another
● Complete the move with a -cert -import
28
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Using table procedure: sysproc.admin_rotate_master_key
● This built-in stored procedure changes the master key for a DB2 database
● It re-encrypts the database key with the new master key
● The action is logged in db2diag.log
Use with NULL to generate a master key and a master key label:
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)
Value of output parameters
-------------------------Parameter Name : LABEL
Parameter Value : DB2_SYSGEN_instancename_dbname_timestamp
Return Status = 0
Or supply it an existing label to rotate to:
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (UserGivenLabel)
Value of output parameters
-------------------------Parameter Name : LABEL
Parameter Value : UserGivenLabel
Return Status = 0
29
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Master Key Rotation
Details
● The process of changing encryption keys for compliance purposes
 It requires decrypting any key encrypted with the old key and then re- encrypting it
with the new key
 NOTE: The data does not get re-encrypted!
● The key rotation frequency depends on the compliance driver
 This generally ranges from once every 3 months to once per year
● The key rotation requirement can be thought of as analogous to the requirement
to change passwords every 90 days
Key Label
Master Key
SECRET.DB2INST1.2015.02.01
DB2 Key
Key Label
Master Key
DB2 Key
SECRET.DB2INST1.2015.03.05
The current Master Key is used to
decrypt the DB2 encryption key
Now a new Master Key is used to
encrypt the DB2 encryption key
30
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Backup encryption considerations
● Two options for backup encryption libraries
Encryption-only library
libdb2encr.so (Linux, Solaris, HP-UX)
libdb2encr.so.a (AIX*)
libdb2encr.dll (Windows)
(the default)
Encryption / Compression library
libdb2compr_encr.so (Linux, Solaris, HP-UX)
libdb2compr_encr.so.a (AIX)
libdb2compr_encr.dll (Windows)
● Two options for using the above libraries for backup encryption
DB CFG parameters
encrlib / comprlib
(backup library to use)
encropts / compropts (backup options to use)
(the default)
BACKUP command keyword
(only if DB CFG parms are not set)
encrlib / comprlib
(backup library to use)
encropts / compropts (backup options to use)
* AIX is a registered trademark of IBM.
31
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Backup Encryption Summary
● The following chart summarizes the combination of settings of ENCRLIB and
ENCROPTS that result in encrypted backups
 If ENCRLIB is set, backups will always be encrypted
 DBAs can only override the level of backup encryption if ENCROPTS is
set to NULL
 A backup will be decrypted when ENCRLIB and ENCROPTS are NULL
Database
Encrypted
32
ENCRLIB Set
ENCROPTS
Set
DBA can Override
ENCROPTS
Backup Default
✔
✔
✔
✖
Encrypted
✔
✔
✖
✔
Encrypted
✔
✖
✖
✔
None
✖
✔
✔
✖
Encrypted
✖
✔
✖
✔
Encrypted
✖
✖
✖
✔
None
IBM DB2 Native Encryption for Linux Unix and Windows
Default for
encrypted
databases
Default for
standard
databases
© 2015 IBM Corporation
IBM Software
DB2 Tooling Considerations
For encrypted databases
● Tools with encryption support









db2pdlog
db2fmtlog
db2cklog
db2flsn
db2LogsForRfwd
db2UncompressLog
db2ckbkp
db2adutl
db2dart
● These tools will use the keystore specified in the DBM CFG KEYSTORE_LOCATION
parameter
 Additional arguments used to connect to the keystore if the password is
not stashed
-kspassword password
-kspassarg fd:file_descriptor filename:file_name
-ksprompt
33
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
DB2DIAG Log
Encryption notifications
● The db2diag.log will contain additional information on the errors that occurred
during any of the encryption commands
2015-02-11-09.46.53.068475-300 E1265451E1280
LEVEL: Error
PID
: 4527
TID : 139971511969536 PROC : db2sysc 0
INSTANCE: db2inst1
NODE : 000
DB
: SECRET
APPHDL : 0-169
APPID: *LOCAL.db2inst1.150211144653
AUTHID : DB2INST1
HOSTNAME: localhost.localdomain
EDUID
: 1767
EDUNAME: db2agent (SECRET) 0
FUNCTION: DB2 UDB, database utilities, sqludValidateUserOptionsAgainstMediaHeader, probe:789
MESSAGE : ZRC=0xFFFFF931=-1743
SQL1743N The RESTORE command failed because the database in the
backup image is encrypted but the existing database on disk is not
encrypted.
DATA #1 : String, 558 bytes
The database contained in the backup image is encrypted but existing database on disk is not. If
this was intentional re-execute the command with the 'no encrypt' option. If this was not intended
and you are restoring into a new database, supply the desired encryption options to the restore API.
If this is a pre-existing database, the encryption options can not be changed and you must either
use a different backup image, restore into a a different database, or drop the existing database and
then re-issue the restore with the desired encryption options.
● Key Rotations are also found in the db2diag.log
Key Rotation successful using label:
DATA #2 : String, 46 bytes
DB2_SYSGEN_db2inst1_SECRET_2015-02-09-05.03.12
34
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption
Other considerations
● CAUTION: Backup your keystore and stash files regularly!
 Using Secure Copy (SCP) or another secure-copy protocol
 Keep in a separate place from your backups
● Use only the GSKit to manipulate the keystore
 Using anything else could corrupt it and render it unusable
● IBM Support cannot decrypt your data
 They will supply you tools and instructions to prepare your transactions logs and dump files
for their use if they need it for solving a problem with an encrypted database
● DPF database encryption considerations
 Restore the catalog partition first - using the encryption options
 The remaining partitions can be restored without the encryption options
● High Availability Disaster Recovery (HADR) database encryption is supported
 The pairs do not have to have the same encryption options
 In fact, one can be encrypted and the other not encrypted
35
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
HADR Setup Example
Primary site keystore setup with master key creation
gsk8capicmd_64 –keydb –create –db ~/db2/db2keys.p12 –type pkcs12 –pw Str0ngPassw0rd – strong –stash
head –c 32 /dev/random > ~/db2/secretkey.p12
gsk8capicmd_64 –secretkey –add –db ~/db2/db2keys.p12 –stashed –label secret.key –file ~/db2/secretkey.p12
Update primary instance with keystore information and create the database
UPDATE DBM CONFIG USING KEYSTORE_NAME /home/db2inst1/db2/db2keys.p12 KEYSTORE_TYPE PKCS12
CREATE DATABASE SECRET ENCRYPT CIPHER AES KEY LENGTH 256 MASTER KEY LABEL secret.key
BACKUP DATABASE SECRET TO …
Export secret.key from primary and move to the secondary site (or just copy the keystore )
gsk8capicmd_64 –cert –export –db ~/db2/db2keys.p12 –stashed –label secret.key
–target ~/db2/export.p12 –target_pw "Str0ngPassw0rd" –target_type pkcs12
scp ~/db2/export.p12 db2inst1@secondary:/home/db2inst1/db2
Secondary site keystore setup and import of secret.key from primary
gsk8capicmd_64 –keydb –create –db ~/db2/db2keys.p12 –type pkcs12 –pw Str0ngPassw0rd – strong –stash
gsk8capicmd_64 –cert –import -db ~/db2/export.p12 –label secret.key –pw "Str0ngPassw0rd"
-target ~/db2/db2keys.p12 –target_type pkcs12 –stashed
UPDATE DBM CONFIG USING KEYSTORE_NAME /home/db2inst1/db2/db2keys.p12 KEYSTORE_TYPE PKCS12
Restore to a new copy of the Encrypted Database at the secondary site
RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER … MASTER KEY LABEL secret.key
36
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
HADR Key Rotation Example
Generate a new master key at the secondary site
head –c 32 /dev/random > ~/db2/newsecretkey.p12
gsk8capicmd_64 –secretkey –add –db ~/db2/db2keys.p12 –stashed –label newsecret.key
–file ~/db2/newsecretkey.p12
Export the new master key and send to the primary system
gsk8capicmd_64 –cert –export –db ~/db2/db2keys.p12 –stashed –label newsecret.key
–target ~/db2/export.p12 –target_pw "Str0ngPassw0rd" –target_type pkcs12
scp ~/db2/export.p12 db2inst1@primary:/home/db2inst1/db2
Import the newsecret.key from the secondary into the primary site
gsk8capicmd_64 –cert –import -db ~/db2/export.p12 –label newsecret.key –pw "Str0ngPassw0rd"
-target ~/db2/db2keys.p12 –target_type pkcs12 –stashed
Initiate key rotation on primary site
CONNECT TO SECRET
CALL SYSPROC.ROTATE_MASTER_KEY('newsecret.key')
37
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
OLTP Test Results - TPCC Performance(TPS)
TPS:
Almost NO difference b/w unencrypted DB vs. Encrypted DB
CPU Usage:
Unencrypted DB / Encrypted DB = 100-103%
TPS vs CPU(us+sy):
Encrypted DB needs a little more CPU(us) than Unencrypted DB
per transaction.
38
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
IBM DB2 Native Encryption vs. Guardium Data Encryption
● Database managed encryption
● Enterprise managed encryption
 Management by DBA/Application Teams
 Heterogeneous Database,
Application and Filesystem
Encryption
 Cloud database encryption
 Encrypts databases and backup images,
and optionally compresses backups
● Simplified DBA deployment
● Managed by Enterprise Security
Team
● Comparable option to SAP
HANA/Oracle/MS SQL
IBM DB2 Encryption Option
Decision based on
who is the buyer
and Manager of the
system/project
Only option for pureScale
on Linux
39
Supports pureScale on AIX only
IBM DB2 Native Encryption for Linux Unix and Windows
© 2015 IBM Corporation
IBM Software
Presentation by:
Burt Vialpando
IBM Executive IT Specialist, The Open Group Distinguished IT Specialist, IBM IT Certification Board
IBM Certified Database Administrator for DB2 10.1 for Linux, UNIX and Windows
IBM Certified Advanced Database Administrator for DB2 V9.7 for Linux, UNIX and Windows
IBM Certified Solutions Developer DB2 9.7 SQL Procedures
IBM Certified Application Developer DB2 9
IBM Certified Solutions Designer for DB2 Business Intelligence V8
IBM Certified Solutions Expert for DB2 UDB V7.1 Database Administration for IBM OS/390
Oracle 11g Database Administrator Certified Associate
IBM Plateau Level 1 Inventor
[email protected]
40
© 2015 IBM Corporation