Skip to main content
Perform the following tasks to enable and test encryption in Db2:
  1. Create the KMIP configuration file.
  2. Configure Db2 to use the CryptoHub.
  3. Create the encrypted database and verify the integration.

Create the configuration file

Perform the following steps to create the KMIP configuration file:
1
Open a text editor and create a kmip.cfg configuration file with the following details:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF CryptoHub>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
The following sample shows an example configuration file:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
2
Save the file to your working folder (such as C:\Certs).

Configure Db2

Perform the following steps to configure Db2 to use the CryptoHub.
1
Open the Db2 command line processor.
2
Run the following commands to point to the CryptoHub by using the configuration file:
Text
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
3
Run the following commands to bounce the database:
Text
db2 => db2stop
db2 => db2start

Create the encrypted database

Perform the following steps to create the encrypted database and verify the integration:
1
In the IBM Db2 Command Line Processor, run the following commands to create an encrypted database:
Text
db2 => create db fxencdb encrypt
Replace fxencdb with the desired database name. Note that database names must not be longer than eight characters.
2
After running the preceding command, the master encryption key generates inside the IBM Db2 service on the CryptoHub.
The following message displays after the process successfully completes:
None
DB20000I  The CREATE DATABASE command completed successfully.
3
Verify the database has been successfully encrypted by executing the following command:
Text
db2 => get db cfg for fxencdb
Ensure that the Encrypted Database configuration parameter is set to YES in the command response.
4
Verify the creation of the key on the CryptoHub by going to Key Management > Keys. The HSM Protected key generated for IBM DB2 is similar to the following naming scheme:
Text
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
For more information on configuring a KMIP key store with IBM DB2, consult the IBM documentation ( www.ibm.com/docs/en/db2/11.5?topic=keystore-kmip-configuration-file#t0062025).