Db2 Native Encryption:

Actual data is encrypted with a Data Encryption Key (DEK) before the data is
written to disk.
DEK is stored and encrypted by a Master Key (MK).

DEK is managed within the database, MK is managed externally

MK is stored within a PKCS#12 compliant keystore
Encrypted keystore file containing master keys

Keystore backup is the responsibility of the customer

Support for master key rotation through new procedure ADMIN_ROTATE_MASTER_KEY()

Unless directed otherwise, Db2 generates an MK automatically during these

operations:
-Database creation
-Master key rotation
-Restoring into a new database

Master keys are stored in a keystore.

A keystore can be a file that is directly accessed by Db2 (local) or a third-party
keystore with which Db2 communicates over the network (centralized).
Keystores supported by Db2:
1. A local keystore (PKCS)#12: A local keystore file that follows the Public Key
Cryptography Standards (PKCS)#12 archive file format for storing cryptography
objects.
2. A centralized keystore that is accessed using one of the following methods:
-(KMIP) version 1.1 or higher --Key Management Interoperability Protocol (KMIP)
-PKCS #11

-----------------------------------------------------------------------------------
-------------------------------------------
Database Objects that are Encrypted:
All user data in a database is encrypted
All tablespaces (system defined and user defined)
All types of data in a table space (LOB, XML, etc. )
All transaction logs including logs in the archives
All LOAD COPY data
All LOAD staging files
All dump .bin files
All backup images

Additional objects that are encrypted

Encryption keys in memory, except for the time they are actually used
Keystore passwords when transparently communicated from one member/ partition
toanother upon restart
-----------------------------------------------------------------------------------
-------------------------------------------
IBM Global Security Kit
DB2 Encryption uses the IBM Global Security Kit (GSKit) forkey management and
encryption

Three GSKit command options are used for manipulating keys

1. keydb :Used to create a keystore for use by DB2
gsk8capicmd_64 –keydb –create[-drop] –db –pw –strong –type –stash
eg:
gsk8capicmd_64 -keydb –create -db ~/db2/db2keys.p12 -type pkcs12 -pw
"Str0ngPassw0rd" -strong -stash
-When the -stash option is specified during the create action, an obfuscated
version of the keystore password is stashed in a file:<key database name>.sth
-A stash file is used as an automatic way of providing a password.
-If a keystore password was not provided during db2start, the password will be
retrieved from the stash file.The stash file can only be read by the instance owner

2. secretkey :Use for extract/add master key labels to a keystore

Extract:
[db2inst2@pufra02eurwcadbs01 DailyBkups]$ db2 "SELECT CAST (OBJECT_NAME AS
VARCHAR(10)) AS OBJECT_NAME, OBJECT_TYPE, KEY_LENGTH, CAST (MASTER_KEY_LABEL AS
VARCHAR(62)) AS MASTER_KEY_LABEL,
CAST (KEYSTORE_NAME AS VARCHAR(65)) AS KEYSTORE_NAME, KEYSTORE_TYPE FROM
TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO()) "

OBJECT_NAME OBJECT_TYPE KEY_LENGTH MASTER_KEY_LABEL

KEYSTORE_NAME KEYSTORE_TYPE
----------- -------------------- ----------
--------------------------------------------------------------
-----------------------------------------------------------------
--------------------
AUTH DATABASE 256 DB2_SYSGEN_db2inst1_AUTH_2017-03-30-
13.00.49 /home/db2inst1/keystore.p12
PKCS12

1 record(s) selected.

db2pd -db <db name> -encryptioninfo

[db2inst2@pufra02eurwcadbs01 DailyBkups]$
~/sqllib/gskit/bin/gsk8capicmd_64 -secretkey -extract -stashed -db
/home/db2inst1/keystore.p12 -label DB2_SYSGEN_db2inst1_AUTH_2017-03-30-13.00.49
-file auth.key -format binary

Add:
gsk8capicmd_64 –secretkey –add –db –label –file -stashed
~/sqllib/gskit/bin/gsk8capicmd_64 -secretkey -add -db
/home/db2inst1/sqllib/security/keystore.p12 -stashed -type pkcs12 -file auth.key
-format binary -label DB2_SYSGEN_db2inst1_AUTH_2017-03-30-13.00.49

3. cert :Used for listing, deleting, importing, and exporting master key labels
gsk8capicmd_64 –cert [-list|-delete]
eg:
gsk8capicmd_64 –cert –list -db ~/db2/db2keys.p12 –stashed
gsk8capicmd_64–cert –delete –db ~/db2/db2keys.p12 -stashed -label <label_name>
-----------------------------------------------------------------------------------
----------
Registering the Keystore in DB2
After creating a keystore file, the DB2 instance must be updated with the location
and type of keystore
Two new configuration parameters
-KEYSTORE_TYPE: Type of keystore being used (either NULL or PKCS12)
-KEYSTORE_LOCATION: Absolute location of the keystore (or NULL if none)

-----------------------------------------------------------------------------------
-------------------------------------------
Determine Current Database Encryption Settings
SYSPROC.ADMIN_GET_ENCRYPTION_INFO
table function can be used to determine the encryption settings for a database.
-----------------------------------------------------------------------------------
-------------------------------------------
Key Rotation Procedure
db2 connect to dbname
CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('newMasterKeyLabel')
-The SYSPROC.ADMIN_ROTATE_MASTER_KEY procedure re-encrypts the database key with
the new master key.
-DB2 will automatically generate the new master key unless you override it with a
key label.
Key rotation is logged in the db2diag.log file:
grep –A 3 "Key Rotation" ~/sqllib/db2dump/db2diag.log
Key Rotation successful using label:
DATA #2 : String, 46 bytes
DB2_SYSGEN_db2inst1_SECRET_2015-02-09-05.03.12
-----------------------------------------------------------------------------------
-------------------------------------------
Tools with encryption support
db2pdlog
db2fmtlog
db2cklog
db2flsn
db2LogsForRfwd
db2UncompressLog
db2ckbkp
db2adutl
db2dart
-----------------------------------------------------------------------------------
-------------------------------------------
Backup Encryption Settings
Two database parameters can be used to automatically control the encryption of
backups
1. ENCRLIB :Which encryption library to use
2. ENCROPTS :What options to pass to the encryption routine

ENCRLIB and ENCOPTS are automatically set when a new database is created with
encryption"
Both values are set according to the ENCRYPT options that were used at database
creation time
Any database backup will be encrypted automatically with these setting
No requirement for additional encryption keywords on the BACKUP command
Only a SECADM can override the database encryption parameters

Setting ENCRLIB to NULL and ENCROPTS to NULL will allow the DBA to backup the
database with NO ENCRYPTION.
Setting ENCRLIB/ENCROPTS at the database level ensures that backups will always be
encrypted

-----------------------------------------------------------------------------------
-------------------------------------------

scp these backups to qufra04selwcldbs1005 via landing pad.

[db2inst2@qufra04selwcldbs1005 tmp]$ db2 "restore db auth encropts 'SHOW MASTER

KEY DETAILS'"
SQL2523W Warning! Restoring to an existing database that is different from
the database on the backup image, but have matching names. The target database
will be overwritten by the backup version. The Roll-forward recovery logs
associated with the target database will be deleted.
Do you want to continue ? (y/n) y
DB20000I The RESTORE DATABASE command completed successfully.
[db2inst2@qufra04selwcldbs1005 tmp]$

[db2inst2@qufra04selwcldbs1005 tmp]$ db2 get dbm cfg |grep -i diag

Diagnostic error capture level (DIAGLEVEL) = 3
Diagnostic data directory path (DIAGPATH) =
/home/db2inst2/sqllib/db2dump/ $m
Current member resolved DIAGPATH =
/home/db2inst2/sqllib/db2dump/DIAG0000/
Alternate diagnostic data directory path (ALT_DIAGPATH) =
Current member resolved ALT_DIAGPATH =
Size of rotating db2diag & notify logs (MB) (DIAGSIZE) = 10240
[db2inst2@qufra04selwcldbs1005 tmp]$ cd /home/db2inst2/sqllib/db2dump/DIAG0000/
[db2inst2@qufra04selwcldbs1005 DIAG0000]$ ls -rlt
total 42984
drwxr-xr-x. 2 db2inst2 db2iadm2 4096 Jan 24 2022 clientrecords
-rw-r-----. 1 db2inst2 db2iadm2 6291316 Feb 21 23:43 db2eventlog.000
-rw-rw-rw-. 1 db2inst2 db2iadm2 27037 Jul 23 02:01 db2diag.log
drwxrwxr-t. 2 db2inst2 db2iadm2 4096 Jul 27 16:26 stmmlog
drwxrwxrwx. 2 db2inst2 db2iadm2 4096 Jul 28 02:03 events
-rw-rw-rw-. 1 db2inst2 db2iadm2 4595267 Jul 28 09:33 db2inst2.0.nfy
-rw-r-----. 1 db2inst2 db2iadm2 462 Jul 28 09:33
AUTH.0.db2inst2.DBPART000.20210108102941.masterKeyDetails
-rw-rw-rw-. 1 db2inst2 db2iadm2 33018769 Jul 28 09:33 db2diag.0.log
[db2inst2@qufra04selwcldbs1005 DIAG0000]$

[db2inst2@qufra04selwcldbs1005 DIAG0000]$ cat

AUTH.0.db2inst2.DBPART000.20210108102941.masterKeyDetails

KeyStore Type: PKCS12

KeyStore Location: /home/db2inst2/sqllib/security/keystore.p12
KeyStore Host Name: qufra04selwcldbs1001.sel.ecomm.local
KeyStore IP Address: 161.156.115.91
KeyStore IP Address Type: IPV4
Encryption Algorithm: AES
Encryption Algorithm Mode: CBC
Encryption Key Length: 256
Master Key Label: DB2_SYSGEN_db2inst2_AUTH_2021-01-07-
19.36.47_AFF156F6

GO back to source server and generate key.

[db2inst2@qufra04selwcldbs1001-t02 after_fix_wcsdb]$
~/sqllib/gskit/bin/gsk8capicmd_64 -secretkey -extract -stashed -db
/home/db2inst2/sqllib/security/keystore.p12 -label DB2_SYSGEN_db2inst2_AUTH_2021-
01-07-19.36.47_AFF156F6 -file auth.key -format binary
You have mail in /var/spool/mail/db2inst2