Data Masking in DB2

User Data security is one of the critical aspects of database administration. Its DBAs responsibility to ensure data must only be accessed by authorized users and DBAs can control that by restricting access at various level. In some cases you want to completely or partially conceal data depending on who is accessing it, e.g. In Payroll application, manager can view only last 4 digit of employees SSN while a team member cannot see SSN of other employees but can see his/her SSN. If we try to achieve this at application level it will increase application complexity as well as might impact application performance but still your database is vulnerable. If a user gets access to database they can see any employee SSN. Best way to achieve it by Data Masking at database level. 

Data breaches might lead to financial loss, reputational damage, operational downtime, legal action, loss of sensitive data. With changing data privacy law and regulations its even critical now to ensure data is adequately protected. 

In DB2 LUW database Data Masking can be achieved with the help of Column Mask which was introduced in DB2 10.1 as part of Row and Column Access Control (RCAC) . In this blog we will go through steps to enable data masking in DB2 LUW and few scenarios of data masking.

How to Create Column Mask in DB2 LUW?

Column Mask can be created using CREATE MASK command. To create mask user must have SECADM authority, no other privilege is require like select on table or execute on function.

CREATE MASK <mask name> ON <table name> FOR COLUMN <column name> RETURN <case expression> ENABLE

Enable SSL for DB2 HADR Communication

In blog DB2 SSL we went through importance of SSL and steps to configure SSL for DB2 communication both at DB2 Server side and client side. In this blog we will go through steps to configure SSL for DB2 HADR communication. If you want you can configure SSL for both DB2 client and server communication as well as for HADR communication or only for HADR communication also. If you have not read blog DB2 SSL, I highly recommend to go through it first before moving into detailed steps to configure SSL for DB2 HADR communication.

In this blog we will use 2 Local KeyStore, one for Primary and other for Standby. We will consider a 2 node HADR setup with below configuration. In case you have more than 1 Standby nodes then you need to perform below steps on all other Standby nodes as well.

Primary Node : db2test1, Instance : db2i1

Standby Node : db2test2, Instance : db2i1

Encrypt DB2 HADR Database Setup without Downtime

In blog DB2 Native Encryption, How to Encrypt DB2 Database, How to Encrypt DB2 Database using Centralized KeyStore we went through DB2 Native Encryption and understood step by step process to encrypt DB2 standalone database using both Local KeyStore and Centralized KeyStore. Encrypting DB2 standalone database involve downtime. In this blog we will go through step by step process to encrypt DB2 database in HADR setup without Downtime, before we proceed I would suggest to check above blogs to understand DB2 Native encryption and steps to configure it. 

In this blog we will use 2 Local KeyStore, one for Primary and other for Standby. You can use shared Local KeyStore as well, by creating KeyStore on shared File System.

We will consider a 2 node HADR setup with below configuration:

Primary Node : db2test1, Instance : db2i1

Standby Node : db2test2, Instance : db2i1

How to Encrypt DB2 Database using Centralized KeyStore

In blog How to Encrypt DB2 database we went through step by step process of configuring DB2 Native Encryption using Local KeyStore. Local KeyStore has overhead of backup and maintenance and in case Local KeyStore is not accessible due to any reason and you are unable to recover it then you cannot access your encrypted database, also restore from encrypted database backups will not be possible. To reduce this overhead you can use Centralized KeyStore. In this blog we will see step by step process to configure DB2 Native Encryption using Centralized KeyStore.

How to Encrypt DB2 Database using Centralized KeyStore?

Step1: Prerequisite - Digital Certificate

You can use self signed digital certificate as well but it is advised to use digital certificated signed by CA when using Centralized KeyStore.

DB2 SSL

DB2 Native Encryption protects your DB2 database against threat at rest but this does not secure your data at transit. Even though your database is encrypt but malicious user can tap communication between your database and clients to view and modify data in transit. To secure your database at transit you can configure SSL communication between your application and database server, so that all communication goes through secure tunnel. DB2 support TLS version 1.0, 1.1 and 1.2. TLS 1.2 is not enabled by default. You can configure DB2 to support only TLS 1.2 or all of them i.e. TLS 1.2, 1.1 and 1.0. In this blog we will go through steps to configure DB2 SSL on DB2 server as well as on DB2 client. If you are interested to know about DB2 Native Encryption feature check blog DB2 Native Encryption, check blog Encrypt DB2 Database for steps to configure DB2 Native Encryption.

How to Encrypt DB2 Database

In blog DB2 Native Encryption we went through introduction to DB2 Native Encryption, license requirement, Data Encryption and Master Key, different Keystore supported by DB2, operation for which Keystore is access and performance impact of encrypting database. In this blog we will see step by step process to enable DB2 Native Encryption and Encrypt DB2 database.

How to Encrypt DB2 Database?

Step1: Planning

Before implementing DB2 Native Encryption and encrypting your database you should determine Keystore type i.e. Local KeyStore or Centralized KeyStore. Benchmark your database performance to determine variance in performance after enabling encryption. 

Your DB2 version should be DB2 10.5 FP 5 or above to support DB2 Native Encryption. If you are on DB2 10.5, depending on your DB2 edition you would need additional license of IBM DB2 Encryption Offering to use DB2 Native Encryption. From DB2 11.1 DB2 Native Encryption is available in all Db2 edition.

In this blog we will encrypt DB2 Database using Local Keystore. 

Check blog Encrypt DB2 Database using Centralized KeyStore for step by step process to enable DB2 Native Encryption using Centralized KeyStore

DB2 Native Encryption

IBM introduced DB2 Native Encryption with DB2 10.5 FP 5. DB2 Native encryption, encrypt db2 backup image and key database files like tablespace containers, transaction logs, archive logs, load copy data as well as load staging files.  In other databases this technology is also referred as TDE (Transparent Data Encryption). TDE or DB2 Native Encryption, encrypt data at rest that is in files and not data in transit or data in use. Even if you have enabled DB2 Native Encryption for your database it will not encrypt table data which user can access using DML statement. It is possible to only encrypt backup of database which is not encrypted.

DB2 Native Encryption License Requirement:

In DB2 10.5 FP 5 and later FP, DB2 Native Encryption is available by default with DB2 Express-C Edition, DB2 Advanced Workgroup Server Edition, DB2 Advanced Enterprise Server Edition, DB2 Developer Edition but for DB2 Express Server Edition, DB2 Workgroup Server Edition, DB2 Enterprise Server Edition you need to purchase and apply additional license of IBM DB2 Encryption Offering to use DB2 Native Encryption. From DB2 11.1 DB2 Native Encryption is enable by default for all edition.