Thursday, November 7, 2019

Control your database encryption keys for Db2 on Cloud

Db2 master key managed by IBM Cloud Key Protect
Since Db2 10.5 I have blogged a couple of times about the native database encryption built into Db2. Today, I want to show you how easy it is to take control of the database encryption keys for Db2 on Cloud. All Db2 database on IBM Cloud are encrypted by default, but with a system encryption key. You can increase data security even further by using your own encryption key (BYOK - bring your own key). Want to know how? Read on...

Database Encryption in Db2

When enabled, Db2 encrypts data stored on disk and database backups. It uses the common two-tier approach, encrypting data with a Data Encryption Key (DEK) and wrapping the DEK with a Master Key (MK). The DEK is permanent. The MK can (and should) be rotated from time to time.

Db2 supports local as well as centralized keystores, including those based on Key Management Interoperability Protocol (KMIP).

Encryption Key Management on IBM Cloud

Many of the services on IBM Cloud deal with data and for security reasons the data is encrypted by default. To give clients a higher degree of security, many of these services offer to use a user-provided key - bring your own key (BYOK). Those keys need to be managed and safeguarded. For that, either the Key Protect (KP) service or the even more secure, mainframe-based Hyper Protect Crypto Services (HPCS) can be used. The latter provides a dedicated encapsulated Hardware Security Module (HSM) with the highest security standard FIPS 140-2 Level 4. See my blog from earlier this year on how to set up a Hyper Protect Crypto Services instance.

Both KP and HPCS allow to import or generate keys and then share them with authorized cloud services.

Use your Encryption Keys for Db2 on Cloud

Once you have set up a Key Protect service and granted either all Db2 services or the specific instance Reader access to KP, you can use your own encryption keys with Db2 on Cloud. Go to the Settings menu in the Db2 console and select Manage Keys. If you are using the system encryption keys, you can migrate the database to use your own key.

Pick your Key Protect instance and root key
You are prompted to first select the Key Protect instance, thereafter the root key to use for the Db2 Master Key (see above). Next, you have to confirm that you want to migrate the encryption key to the selected values (see below).

Confirm the Db2 key migration to Key Protect
Thereafter, the migration is started and you can check for the status. The required time depends on the database size. Thus, if you start with a fresh database it is only a matter of few seconds.
Migration of Db2 encryption key is in progress
Now, Db2 on Cloud uses your encryption key which is protected by IBM Cloud Key Protect. The Manage Keys configuration shows that the migration is over and how the data at rest is encrypted (see screenshot in the introduction).


It is possible to control your database encryption keys for Db2 on Cloud. With few steps and not much effort you can increase the level of security. I highly recommend trying it out and use it in production. And as always make sure to read the deployment considerations in the documentation.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.