DB2 Native Encryption

IBM introduced DB2 Native Encryption with DB2 10.5 FP 5. DB2 Native encryption, encrypt db2 backup image and key database files like tablespace containers, transaction logs, archive logs, load copy data as well as load staging files.  In other databases this technology is also referred as TDE (Transparent Data Encryption). TDE or DB2 Native Encryption, encrypt data at rest that is in files and not data in transit or data in use. Even if you have enabled DB2 Native Encryption for your database it will not encrypt table data which user can access using DML statement. It is possible to only encrypt backup of database which is not encrypted.

DB2 Native Encryption License Requirement:

In DB2 10.5 FP 5 and later FP, DB2 Native Encryption is available by default with DB2 Express-C Edition, DB2 Advanced Workgroup Server Edition, DB2 Advanced Enterprise Server Edition, DB2 Developer Edition but for DB2 Express Server Edition, DB2 Workgroup Server Edition, DB2 Enterprise Server Edition you need to purchase and apply additional license of IBM DB2 Encryption Offering to use DB2 Native Encryption. From DB2 11.1 DB2 Native Encryption is enable by default for all edition.

Data Encryption Key and Master Key

DB2 Native Encryption usages Data Encryption Key (DEK) to encrypt data before it is written to disk. DEK which was used to encrypt data is encrypted with Master Key (MK) and it is stored in database or backup image. DEK is generated by DB2 when require, e.g. when encrypted database backup is perform or when encrypted database gets created. Master Key is stored in Keystore. 


DB2 supports 2 types of Keystore i.e. Local Keystore and Centralized Keystore. Local Keystore is a file which DB2 access locally while Centralize Keystore is third party Keystore hosted remotely on a centralized server access through network.

Local Keystore file follows the Public Key Cryptography Standards (PKCS) #12 archive format to store Master Key and its metadata.

Centralized Keystore can be both Hardware and Software solution. Software solution must be a product which supports Key Management Interoperability Protocol (KMIP) version 1.1 or higher. DB2 supports below hardware security modules which usages PKCS #11 API

  • Gemalto Safenet HSM version 6.1 and higher
  • nCipher nShield HSM version 11.50 and higher

Keystore Access

DB2 will access Keystore to access existing Master Key or create new Master Key. DB2 will access Keystore while performing below operations:

  • Starting DB2 Instance
  • Database creation
  • Database activation
  • Database backup
  • Database restore
  • Database rollforward
If Keystore is inaccessible then you will not be able to access your own database and hence availability of Keystore is of paramount importance. You need to ensure in case of disaster you can recover your Keystore in case of Local Keystore and in case of centralized Keystore, your solution supports backup and recovery functionality.

Performance Impact

DB2 Native Encryption functionality encrypt and decrypt data when it is written to disk or when it is read from disk respectively, hence performance impact is observed only on physical I/O operation. After enabling DB2 Native Encryption your I/O bandwidth get reduced. Depending on how your application behaves due to this change in I/O performance, impact will vary. It is advised to tune your database to avoid negative impact of change in I/O performance after encryption.

Apart from performance Impact enabling encryption also results in additional operational overhead like managing Keystore.

Configure Encryption and encrypt database

Check blog How to Encrypt DB2 database for step by step process to configure and enable DB2 Native encryption.

Check blog How to Encrypt DB2 Database using Centralized KeyStore for step by step process to configure DB2 Native encryption using Centralized KeyStore.

If you liked this blog and interested in knowing more about DB2, please subscribe by clicking on Subscribe to ChoudharySumit.com by Email.

No comments:

Post a comment