DB2 – Transparent Data Encryption (DB2 10.5.5 on SLES12)

I was involved in software evaluation focused on TDE (Oracle, SQLServer, DB2) few months ago. I was really surprised that DB2 was lacking this feature within database package and it was needed to use another IBM product. With 10.5.5 version of DB2, this feature was added. Finally! 🙂

If you’re not a manager in Deutsche Telekom, you should probably expect (or at least you are able to find information) what TDE means. One picture for many words and very few words from my side: TDE is securing data in rest (datafiles) against unauthorized access in a storage layer (theft, linux/unix root, etc.).

DB2 is encrypting on database level. It’s a pitty – tablespace/column would be better granularity approach – maybe in next updates 😉 There are few steps you need to follow:

1) Setting paths for generating key

First of all you need to adjust 2 variables – PATH and LD_LIBRARY_PATH. As my db2 account is default (= instance owner) – db2inst1 – I’m adjusting /home/db2inst1/sqllib/db2profile . My default db2profile consist of this section dedicated to LD_LIBRARY_PATH:

I should add one more lib to 32-bit library directory (it is strictly recommended to include this library path, although you’re running 64-bit OS + 64-bit DB2). You can do it intuitively according previous paths or classical way = block after my adjustments looks:

Now you need to locate gskit binaries – not really hard, right? 🙂 I’m changing


Please adjust path according your install directory. These two changes are enough – you should save changes done to your db2profile file, logout and login to see changes.

2) Generating key

First of all you can check your gsk version:

You can say something about spamming – but i can imagine many situation when this huge output is necessary :-). Let’s try to generate your stash – welcome to gsk8capicmd syntax 🙂 Please check this 100-page instruction for command usage/options. First attempt:

I think all parameters are +- intuitive. Just -strong is forcing strong password (eagle is not a strong password, indeed) and -stash is creating stash file, useful when you want to provide password when database starts. Second attempt:

seems ok for us – you can check newly created files:

3) Connecting DB2 with stash

As you can imagine, all this is leading to change some parameter, pointing into .p12 file. Exactly! Please all, welcome 2 brand new parameters for database manager: KEYSTORE_TYPE and KEYSTORE_LOCATION.

Ok, so we adjust these values according our case and change dbm cfg:

4) Creating encrypted database

Here we go!

And that’s all.

5) Verification

We will create tst database (non-encrypted) with tst1 table consisting of one column, credit card number. We will try to retrieve this CC# by strings command (just reminding my older post):

As you can see, CC# was discovered without any troubles.

Now we can try the same actions in tst_enc database:

Data are stored encrypted, as we wished.

You can find more information about this new feature on website + check this article.


This entry was posted in DB2. Bookmark the permalink.

Comments are closed.