The key to security (Evan-Amos via Wikipedia) |
DB2 uses a two tier approach for encrypting the data. A so-called Data Encryption Key (DEK) is the one actually taken as input for the encryption algorithm. To prevent others from accessing and seeing the DEK, a second layer is added and the so-called Master Key (MK) comes into play. The MK is used to encrypt the DEK. The encrypted DEK is stored inside the database, the MK outside of it and there are options for how to handle it. Walid has details about the encryption keys and the overall architecture in his blog.
Because the Master Key is stored outside of the database and is the one that needs to provided when starting up DB2, it is a good time to change it from time to time. Many companies actually have security policies that require periodical change of passwords. That is the moment to use the new DB2 administrative procedure ADMIN_ROTATE_MASTER_KEY. If you went with the option of DB2 generating the MK for you (I did for simplicity), then you only have to call the procedure and be done:
db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)"
Value of output parameters
--------------------------
Parameter Name : LABEL
Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20
Return Status = 0
The call generates a new master key and associated label and then re-encrypts the Data Encryption Key with the new MK. If you provided a Master Key and label during the setup yourself, then you have to change the MK first and then call the procedure with the label as parameter.
Of course, if you noted down that generic label that DB2 generated for you, then you could use it as input. It would use the stored Master Key to re-encrypt the DEK. It would not change any password in that case. So be careful!
db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY ('DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20')"
Value of output parameters
--------------------------
Parameter Name : LABEL
Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20
Return Status = 0