Encryption Technology
Presenter: Marcin Baster
DB2 LUW Advanced Support Analyst
IBM Analytic Platform Client Success and Smarter Support
2015 IBM
Corporation
Disclaimer
The information contained in this presentation is provided for informational purposes only.
While efforts were made to verify the completeness and accuracy of the information contained in this
presentation, it is provided as is, without warranty of any kind, express or implied.
In addition, this information is based on IBMs current product plans and strategy, which are subject to
change by IBM without notice.
IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this
presentation or any other documentation.
Nothing contained in this presentation is intended to, or shall have the effect of:
Creating any warranty or representation from IBM (or its affiliates or its or their suppliers and/or
licensors); or
Altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
Performance is based on measurements and projections using standard IBM benchmarks in a
controlled environment. The actual throughput or performance that any user will experience will vary
depending upon many factors, including considerations such as the amount of multiprogramming in the
user's job stream, the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results similar to those stated
here.
2015 IBM
Corporation
PART ONE
Encryption highlights
2015 IBM
Corporation
Agenda
IBM DB2 Encryption Offering
Data encryption requirements
Offering overview
Functionality Highlights
Encryption overview
Encryption keys, algorithms, and security strengths
Encryption key managment
Key management
GSKit Overview
Keystore and key creation, deletion, reporting, exporting, and importing
Encrypting databases
Backup and restore
Utilities, diagnostics and other considerations
2015 IBM
Corporation
Russia:
Computerization & Protection of Information
/ Participation in Int'l Info Exchange
Japan:
Guidelines for the
Protection of Computer
Processed Personal Data
Hong Kong:
Privacy Ordinance
New Zealand:
Privacy Act
United Kingdom:
Data Protection
Act
EU:
Protection
Directive
Poland:
Polish
Constitution
Germany:
Federal Data Protection
Act & State Laws
China
Commercial
Banking Law
Indonesia:
Bank Secrecy
Regulation 8
Singapore:
Monetary Authority of
Singapore Act
Vietnam:
Banking Law
Philippines:
Secrecy of Bank
Deposit Act
Australia:
Federal Privacy
Amendment Bill
Switzerland:
Pakistan:
Federal Law on
Banking Companies
Data Protection
Ordinance
Israel:
Protection of
India:
Privacy Law
SEC Board of
India Act
South Africa:
Promotion of Access
to Information Act
Taiwan:
Computer- Processed
Personal Data
Protection Law
Canada:
Personal Information Protection
& Electronics Document Act
USA:
Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:
E-Commerce Law
Brazil:
Constitution, Habeas Data &
Code of Consumer Protection &
Defense
Argentina:
Habeas Data Act
Colombia:
Chile:
Political Constitution
Protection of
Personal Data Act Article 15
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
Backup highlights
Leverages existing interface for calling out to an external library
Same encryption algorithm choices as for database
Non-encrypted databases can also have backups encrypted
Automated backup encryption through use of new ENCRLIB/ENCROPTS
database configuration parameters
Use of encryption for backups enforced by SECADM
Automation turned on by default when an encrypted database is created
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
PART TWO
Encryption overview
2015 IBM
Corporation
Encryption Key
The sequence that controls the operation of the
cryptographic algorithm
The number of bits in a key is called key length
The length of the key reflects the difficulty to decrypt a plaintext encrypted
with that key
A 256 bit key has 2256 distinct values in its key space
Key
Plaintext
Key
Ciphertext
Encryption
Encryption
Plaintext
2015 IBM
Corporation
Original Message
Secret Key
Encrypted Message
Decryption
Encrypted Message
Secret Key
Original Message
2015 IBM
Corporation
It is not feasible to derive the private key from the public key in any
reasonable time
RSA, ECC, and Diffie-Hellman are the most famous examples
Public Key
Plaintext
Private Key
Ciphertext
Encryption
Encryption
Plaintext
2015 IBM
Corporation
Symmetric Key
Length (AES)
Asymmetric Key
Length (RSA)
Asymmetric Key
Length (ECC)
1024
160
2048
224
128
3072
256
192
7680
384
256
15360
512
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
PassW0rd
Keystore
Master Keys with Labels are created in order to encrypt database keys:
Key Label
Key
SECRET.DB2INST1.2015.02.01
Keystore
Database Keys are generated internally by DB2 and are used to encrypt the database:
Key Label
DB2 Key
Key
SECRET.DB2INST1.2015.02.01
The DB2 encryption key is itself
encrypted within the database image
by using the Master Key found within
the keystore.
2015 IBM
Corporation
PART TWO
2015 IBM
Corporation
secretkey
Use for add master key labels to a keystore
cert
Used for listing, deleting, importing, and exporting master key labels
2015 IBM
Corporation
Parameters
Keyword
Use
-keydb
-create or -drop
-db
-type
Must be pkcs12.
-pw
Password for the keystore (at least 14 characters long when -strong is used).
-strong
-stash
Create a stash file to allow for commands to run without prompting for password.
Example
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
You may want to create a key with a specific label for a number
of reasons:
You want to keep track of the Master Key Labels and their corresponding keys for
offsite recovery without having the entire keystore available on the
backup site
You have an HADR pair that must have synchronized keys
You are encrypting a backup for an unencrypted database
2015 IBM
Corporation
Parameters
Keyword
Use
-secretkey
Indicates that the command will insert a new master key into an existing keystore
-add
Add a key to the keystore (Note: You can't drop a key using this command)
-db
Keystore filename
-label
-pw
-file
Location of the AES key that will be used to encrypt the database key
-stashed
Example
gsk8capicmd_64 secretkey add -db ~/db2/db2keys.p12
-label secret.key
-stashed
-file ~/db2/mysecretkey
2015 IBM
Corporation
On Linux, UNIX, and AIX use the following command to generate a 32-byte random
string (which represents a 256-bit AES key)
head c 32 /dev/random >~/db2/mysecretkey
2015 IBM
Corporation
Parameters
Common Keywords
Use
-db
-stashed
-pw
Delete
Use
-delete -label
List
Use
-list
Examples
gsk8capicmd_64 cert list -db ~/db2/db2keys.p12 stashed
gsk8capicmd_64 cert delete db ~/db2/db2keys.p12 -stashed
-label secret.key
2015 IBM
Corporation
Parameters
Keywords
Use
-export
-db
-stashed
-pw
-label
-target
-target_pw
-target_type
Example
gsk8capicmd_64 cert export -db ~/db2/db2keys.p12 -stashed
-label secret.key target ~/db2/exportedkey.p12 target_type pkcs12
-target_pw Str0ngPassw0rd
2015 IBM
Corporation
Parameters
Keywords
Use
-import
-db
Absolute location of the key that we want to import (not the current keystore)
-stashed
-pw
Password for the key that we exported from the original keystore
-label
-target
Name of the local keystore file to place the contents of the master key into.
-target_pw
Password for the keystore file, but you can use the stashed option
-target_type
Example
gsk8capicmd_64 cert import -db ~/db2/exportedkey.p12 -stashed
-pw Str0ngPassw0rd -label secret.key
target ~/db2/db2keys.p12 target_type pkcs12
2015 IBM
Corporation
2015 IBM
Corporation
PART TWO
2015 IBM
Corporation
The default encryption is AES 256, but users can select other algorithms and
key lengths if they so desire
CREATE DATABASE mydb
ENCRYPT CIPHER AES KEY LENGTH 128;
CREATE DATABASE mydb
ENCRYPT CIPHER 3DES KEY LENGTH 168;
CREATE DATABASE mydb
ENCRYPT CIPHER AES KEY LENGTH 256
MASTER KEY LABEL mylabel;
2015 IBM
Corporation
Encryption Options
The ENCRYPT keyword has three options
CIPHER
KEY LENGTH
For AES encryption this can be 128, 192, or 256 bits
Default length is 256 for AES, and it can only be 168 for 3DES
2015 IBM
Corporation
Contents
ALGORITHM
ALGORITHM_MODE
KEY_LENGTH
MASTER_LEY_LABEL
KEYSTORE_NAME
KEYSTORE_TYPE
Type of keystore
KEYSTORE_HOST
KEYSTORE_IP
KEYSTORE_IP_TYPE
PREVIOUS_MASTER_KEY_LABEL
Master key label before the last master key rotation took place - If a master key rotation has not occurred,
this value is the master key label
ROTATION_TIME
AUTH_ID
Authorization ID that was used during the last master key rotation
2015 IBM
Corporation
Key Rotation
The process of changing encryption keys for compliance purposes
It requires decrypting any key encrypted with the old key and then re- encrypting it with
the new key
The data does not get re-encrypted!
SECRET.DB2INST1.2015.02.01
Master Key
DB2 Key
Key Label
Master Key
DB2 Key
SECRET.DB2INST1.2015.03.05
2015 IBM
Corporation
PART TWO
2015 IBM
Corporation
Compression
Encryption
Both
Windows
db2compr.dll
db2encr.dll
db2compr_encr.dll
Linux
libdb2compr.so
libdb2encr.so
libdb2compr_encr.so
AIX
libdb2compr.a
libdb2encr.a
libdb2compr_encr.a
Purpose
Values
Cipher
AES, 3DES
Length
Optional name of the Master Key Label used to encrypt the database key String
2015 IBM
Corporation
Overriding the backup encryption level requires that SECADM update the
ENCROPTS settings
A database backup can have a different level of encryption than the
database itself
The ENCROPTS can also be set manually on the BACKUP command but that would
require that the database ENCROPTS parameter be set to NULL
Supplying no ENCROPTS on the BACKUP would result in default encryption settings
(AES 256)
Setting ENCRLIB to NULL and ENCROPTS to NULL will allow the DBA to backup the
database with NO ENCRYPTION
2015 IBM
Corporation
Example:
BACKUP DATABASE SECRET TO /HOME/DB2INST1/DB2
ENCRYPT ENCRLIB 'libdb2encr.so'
ENCROPTS 'Cipher=AES:Key Length=256'
2015 IBM
Corporation
2015 IBM
Corporation
RESTORE will use the existing database encryption settings to encrypt the
data being restored
The encryption settings can not be changed when restoring into an existing database
2015 IBM
Corporation
2015 IBM
Corporation
Encryption information from the backup will be placed into the db2dump
directory
File with the following name will be generated
<DATABASE>.#.<instance>.<partition>.<timestamp>.masterkeydetails
You can then use ENCROPTS 'Master Key Label=xxx' option on the RESTORE
command to decrypt the backup with the proper master key
2015 IBM
Corporation
Restore to a new copy of the Encrypted Database with different encryption options
RESTORE DATABASE SECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192
Extract the Master Key Label information from the backup image
RESTORE DATABASE SECRET FROM /db2 ENCRYPT
ENCROPTS 'show master key details'
2015 IBM
Corporation
Restore to a new copy of the database and have it encrypted using the defaults
RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT
Restore to a new copy of the Encrypted Database with different encryption options
RESTORE DATABASE NOSECRET FROM /db2 ENCRYPT CIPHER AES KEY LENGTH 192
CONFIG USING
'/home/db2inst1/sqllib/lib/libdb2encr.so'
'Cipher=AES:Key length=128:Master Key Label=secret.key'
NOSECRET TO /db2
2015 IBM
Corporation
Copy the master key to the backup site and add the key to the backup site
keystore
gsk8capicmd cert import db secret.p12 pw Str0ngPassw0rd
stashed -label secret.key
-target ~/db2/backup.p12
-target_type pkcs12
2015 IBM
Corporation
PART TWO
2015 IBM
Corporation
Backup
Restore
2015 IBM
Corporation
HADR Considerations
Normally both primary and secondary databases are encrypted
Possible to only have the primary or secondary encrypted
On HADR startup, an admin warning message will be produced
Update local and backup instance with the location and type of keystore
UPDATE DBM CONFIG USING
KEYSTORE_NAME /home/db2inst1/db2/db2keys.p12 KEYSTORE_TYPE PKCS12
Create the primary database using the master key label, setup HADR, and then backup the database
CREATE DATABASE SECERT ENCRYPT MASTER KEY LABEL secret.key
Setup of HADR primary
BACKUP DATABASE SECRET TO ~/db2
2015 IBM
Corporation
Tooling Changes
Tools with encryption support
db2cklog
db2flsn
db2LogsForRfwd
db2ckbkp
db2adutl
db2dart
These tools will use the keystore specified in the DBM CFG
KEYSTORE_LOCATION parameter
Additional arguments used to connect to the keystore if the password is
not stashed
-kspassword password
-kspassarg fd:file_descriptor
filename:file_name
-ksprompt
2015 IBM
Corporation
2015 IBM
Corporation
PART THREE
Deep Dive
2015 IBM
Corporation
56
2015 IBM
Corporation
PKCS12 Keystore
57
2015 IBM
Corporation
58
2015 IBM
Corporation
When DB2 inserts a new Master Key into the keystore, it logs an admin
message to remind customer to backup
2015-01-12-12.03.57.408278 Instance:gstager Node:000
PID:20764(db2agent (instance)) TID:3443517760 Appid:*LOCAL.gstager.150112170356
bsu security sqlexInsertNewMasterKeyLabel Probe:519 Database:
ADM8014W Backup the keystore.
59
2015 IBM
Corporation
KEYSTORE_TYPE PKCS12
KEYSTORE_LOCATION fully qualified path of the keystore
60
2015 IBM
Corporation
The exceptions when the customer needs to manually create master keys
and labels:
HADR
Sharing encrypted backups without exposing all keys in the keystore
61
2015 IBM
Corporation
62
2015 IBM
Corporation
63
2015 IBM
Corporation
They might have the same label, but will have a different key. DB2 can
detect this:
2015 IBM
Corporation
2015 IBM
Corporation
2015 IBM
Corporation
Label=no_such_label'" ;
SQL2062N An error occurred while accessing
media "libdb2encr.so". Reason code: "1".
$ db2 "backup db testdb compress comprlib 'libdb2encr.so' compropts 'Cipher=AES:Key
Length=257:Master Key Label=label_mihai'" ;
SQL2062N An error occurred while accessing media "libdb2encr.so". Reason code:
"1".
2015-01-09-15.56.29.008456
Instance:miacob
Node:000
PID:6131(db2bm.41.0 (TESTDB))
TID:3330271552 Appid:*LOCAL.miacob.150109205625
bsu security InitEncryption Probe:911
Database:TESTDB
ADM8013E The command or operation failed due to an error in the encryption or
compression library.
2015-01-09-15.59.59.878013
Instance:miacob
Node:000
PID:6131(db2bm.152.0 (TESTDB))
TID:3300911424 Appid:*LOCAL.miacob.150109205957
bsu security InitEncryption Probe:911
Database:TESTDB
ADM8013E The command or operation failed due to an error in the encryption or
compression library.
67
2015 IBM
Corporation
68
2015 IBM
Corporation
69
2015 IBM
Corporation
70
2015 IBM
Corporation
/home/miacob/sqllib/db2dump:$ cat
TESTDB.0.miacob.DBPART000.20150109155924.masterKeyDetails
71
2015 IBM
Corporation
Note that at restore time we will try the labels used to encrypt the
backup image one by one if a label is not specified via 'encropts'.
72
2015 IBM
Corporation
73
2015 IBM
Corporation
How to diagnose:
Look at the db2diag.log for the real error
(SQLEX_KEYSTORE_LABEL_DOES_NOT_EXIST)
Use 'show master key details' via encropts on the restore command to
generate the .masterKeyDetails file in db2dump and find out the
master key label used to encrypt the backup and the location of the
keystore on the source system.
Extract this key from the source system keystore, securely copy it to the
target system, import it into the keystore, re-run the restore.
74
2015 IBM
Corporation
This is applicable to any database level images, not for tablespace (uses
existing db's setting) or snapshot restore (uses setting in image).
Examples:
BAD Note: sample does not exist prior to the restore (e.g. moving to new system)
75
2015 IBM
Corporation
STANDBY:
- db2 update dbm cfg using keystore_name <key store path on standby>
- db2 restore db sample encrypt ...
76
2015 IBM
Corporation
PRIMARY:
- Add new master key label <Y> to the key store on the primary database.
- CALL SYSPROC.ROTATE_MASTER_KEY('<Y>');
How can the keystores at the primary and standby be kept in sync:
77
2015 IBM
Corporation
Instance:geoffrey
PID:17361(db2hadrs.0.0 (HADRDB))
TID:1065347392
ADM12517E
Node:000
Appid:none
hdrEdu::hdrEduS Probe:21719
Database:HADRDB
78
2015 IBM
Corporation
If problem is resolved within timeout period (30 mins), the systems will reconnect and HADR continues. Otherwise, HADR will shut down and users
have to restart HADR after issue is resolved.
79
2015 IBM
Corporation
Determine label using (db2pd -encr / table function, covered in later section)
Extract from primary system's keystore.
Import into standby system's keystore.
Use this label when restoring backup to create standby database
80
2015 IBM
Corporation
81
db2pdlog
db2fmtlog
db2cklog
db2flsn
db2LogsForRfwd
db2UncompressLog
db2ckbkp
db2adutl
db2dart
2015 IBM
Corporation
These tools will use the keystore specified in the DBM CFG
KEYSTORE_LOCATION parameter. There's no way to specify
another keystore file through the tools.
82
2015 IBM
Corporation
Run-time PD functions
DB CFG Encrypted database to see if db is encrypted
ADMIN_GET_ENCRYPT_INFO() table function
New db2pd option -encryptioninfo (-enc)
db2pd -db dynam -encryptioninfo
Database Member 0 -- Database DYNAM -- Active -- Up 0 days 00:00:16 -- Date 2015-01-09-14.24.13.275668
Encryption Info:
Object Name:
Object Type:
DYNAM
DATABASE
AES
CBC
256
DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58
2015-01-09-14.20.59.000000
*LOCAL.geoffrey.150109192055
GEOFFREY
DB2_SYSGEN_geoffrey_DYNAM_2015-01-09-14.20.58
KeyStore Info:
KeyStore Type:
KeyStore Location:
KeyStore Host Name:
KeyStore IP Address:
KeyStore IP Address Type:
83
PKCS12
/home/geoffrey/sqllib/keystore.p12
hotel80.torolab.ibm.com
9.26.120.37
IPV4
2015 IBM
Corporation
THANK YOU
84
2015 IBM
Corporation