Cloud-based HSM with PKCS #11 for Db2 Native Encryption

Manage your encryption keys

When using Db2 databases, there are a different ways to encrypt the stored data (data at rest). One of them is to use the built-in feature, Db2 native encryption. It supports three kinds of keystores, a local keystore file or centralized key management systems (KMS) based on KMIP or PKCS #11 protocols.

Today, I want to point you to a tutorial in the IBM Cloud documentation. It discusses using Hyper Protect Crypto Services PKCS #11 for Db2 native encryption.

The tutorial provides step by step instructions on how to provision and initialize an instance of the Hyper Protect Crypto Services (HPCS) and then configure it for use as keystore for Db2. HPCS is a cloud-based Hardware Security Module (HSM) with the highest security rating, FIPS 140 Level 4. It allows to import your keys from other keystores (bring your own key / BYOK, keep your own key / KYOK). Thus, an HPCS instance can be used in addition to or as backup for on-premises KMS.

With my introduction above, check out the tutorial on using the cloud-based HSM with PKCS #11 for Db2 native encryption.