Enable and test encryption in IBM Db2

3min
Perform the following tasks to enable and test encryption in Db2:
1 | Create the KMIP configuration file
1
Open a text editor and create a kmip.cfg configuration file with the following details:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF CryptoHub>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF CryptoHub>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
﻿
An example configuration file is as follows:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
﻿
2
Save the file to your working folder (such as C:\Certs).
2 | Configure Db2 to use the ﻿
1
Open the Db2 Command Line Processor.
2
Run the following commands to point to the  by using the configuration file:
Text
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
﻿
3
Run the following commands to bounce the database:
Text
db2 => db2stop
db2 => db2start
db2 => db2stop
db2 => db2start
﻿
3 | Create the encrypted database and verify the integration
1
In the IBM Db2 Command Line Processor, run the following commands to create an encrypted database:
Text
db2 => create db fxencdb encrypt
db2 => create db fxencdb encrypt
﻿
Replace fxencdb with the desired database name. Note that database names can be a max of eight characters.
2
After running the above command, the master encryption key will be generated inside the IBM Db2 service on the . 
The following message displays after the process successfully completes:
Text
DB20000I  The CREATE DATABASE command completed successfully.
DB20000I  The CREATE DATABASE command completed successfully.
﻿
3
Verify the database has been successfully encrypted by executing the following command:
Text
db2 => get db cfg for fxencdb
db2 => get db cfg for fxencdb
﻿
Ensure that the Encrypted Database configuration parameter is set to YES in the command response.
4
Verify the creation of the key on the  by going to Key Management > Keys. The HSM Protected key generated for IBM DB2 is similar to the following naming scheme:
Text
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
﻿
For more information on configuring a KMIP key store with IBM DB2, consult the IBM documentation.
Updated 09 Dec 2024
Did this page help you?
Configure IBM Db2
Microsoft SQL Server
Enable and test encryption in IBM Db2

1 | Create the KMIP configuration file

2 | Configure Db2 to use the ﻿

3 | Create the encrypted database and verify the integration

2 | Configure Db2 to use the
