Thursday, January 22, 2015

Boss, I rotated the keys! (DB2 database encryption)

In my previous entry I wrote about how I created an encrypted database. Today, I am showing you how I rotated one of the keys used for the DB2 native encryption.
The key to security (Evan-Amos via Wikipedia)

DB2 uses a two tier approach for encrypting the data. A so-called Data Encryption Key (DEK) is the one actually taken as input for the encryption algorithm. To prevent others from accessing and seeing the DEK, a second layer is added and the so-called Master Key (MK) comes into play. The MK is used to encrypt the DEK. The encrypted DEK is stored inside the database, the MK outside of it and there are options for how to handle it. Walid has details about the encryption keys and the overall architecture in his blog.

Because the Master Key is stored outside of the database and is the one that needs to provided when starting up DB2, it is a good time to change it from time to time. Many companies actually have security policies that require periodical change of passwords. That is the moment to use the new DB2 administrative procedure ADMIN_ROTATE_MASTER_KEY. If you went with the option of DB2 generating the MK for you (I did for simplicity), then you only have to call the procedure and be done:


db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)"

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20

  Return Status = 0


The call generates a new master key and associated label and then re-encrypts the Data Encryption Key with the new MK. If you provided a Master Key and label during the setup yourself, then you have to change the MK first and then call the procedure with the label as parameter.

Of course, if you noted down that generic label that DB2 generated for you, then you could use it as input. It would use the stored Master Key to re-encrypt the DEK. It would not change any password in that case. So be careful!


db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY ('DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20')"

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20

  Return Status = 0

2 comments:

Anonymous said...

This doesn't rotate the DEK, however; just the Master Key that encrypts the DEK. So the actual database is still encrypted with the same key. This does not meet PCI requirements that require rotation of the DEK. You would have to create a new database encrypted with a new key and restore a backup of your database to it.

Henrik Loeser (data_henrik) said...

Yes, the DEK (stored inside the database) is not changed, only the master key which is stored outside. This is stated in the blog entry.

Based on my basic knowledge of PCI DSS rotating the MEK (and not the DEK) is good enough. The DEK is system-generated before (symmetric) data encryption and remains untouched by users. It is stored secured inside the database.

Henrik

LinkWithin

Related Posts with Thumbnails