I was involved in software evaluation focused on TDE (Oracle, SQLServer, DB2) few months ago. I was really surprised that DB2 was lacking this feature within database package and it was needed to use another IBM product. With 10.5.5 version of DB2, this feature was added. Finally! 🙂
If you’re not a manager in Deutsche Telekom, you should probably expect (or at least you are able to find information) what TDE means. One picture for many words and very few words from my side: TDE is securing data in rest (datafiles) against unauthorized access in a storage layer (theft, linux/unix root, etc.).
DB2 is encrypting on database level. It’s a pitty – tablespace/column would be better granularity approach – maybe in next updates 😉 There are few steps you need to follow:
1) Setting paths for generating key
First of all you need to adjust 2 variables – PATH and LD_LIBRARY_PATH. As my db2 account is default (= instance owner) – db2inst1 – I’m adjusting /home/db2inst1/sqllib/db2profile . My default db2profile consist of this section dedicated to LD_LIBRARY_PATH:
1 2 3 4 5 |
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-""} AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib64 a AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib64/gskit a AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib32 a export LD_LIBRARY_PATH |
I should add one more lib to 32-bit library directory (it is strictly recommended to include this library path, although you’re running 64-bit OS + 64-bit DB2). You can do it intuitively according previous paths or classical way = block after my adjustments looks:
1 2 3 4 5 |
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-""} AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib64 a AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib64/gskit a AddRemoveString LD_LIBRARY_PATH ${INST_DIR}/lib32 a export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/sqllib/lib32/gskit |
Now you need to locate gskit binaries – not really hard, right? 🙂 I’m changing
1 |
export PATH |
to
1 |
export PATH=$PATH:/opt/ibm/db2/V10.5/gskit/bin |
Please adjust path according your install directory. These two changes are enough – you should save changes done to your db2profile file, logout and login to see changes.
2) Generating key
First of all you can check your gsk version:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
db2inst1@linux-lzeo:~> gsk8ver Details of gskit in /opt/ibm/db2/V10.5/lib32/gskit_db2 Operating system is Linux linux-lzeo 3.12.28-4-default #1 SMP Thu Sep 25 17:02:34 UTC 2014 (9879bd4) x86_64 libgsk8sys.so ============ @(#)CompanyName: IBM Corporation @(#)LegalTrademarks: IBM @(#)FileDescription: IBM Global Security Toolkit @(#)FileVersion: 8.0.50.31 @(#)InternalName: gsksys @(#)LegalCopyright: Licensed Materials - Property of IBM GSKit (C) Copyright IBM Corp.1995, 2014 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. @(#)OriginalFilename: libgsk8sys.so @(#)ProductName: gsk8g (GoldCoast Build) 140708 @(#)ProductVersion: 8.0.50.31 @(#)ProductInfo: 14/07/08.01:52:32.14/07/09.03:02:05 @(#)CMVCInfo: gsk8g_140708/gsk8g_ssl gsk8g_140225/gsk8g_cms gsk8g_140708/gsk8g_support gsk8g_140708/gsk8g_pkg gsk8g_140310/gsk8g_acme gsk8g_140708/gsk8g_doc gsk8g_140708/gsk8g_ikm ...{truncated} |
You can say something about spamming – but i can imagine many situation when this huge output is necessary :-). Let’s try to generate your stash – welcome to gsk8capicmd syntax 🙂 Please check this 100-page instruction for command usage/options. First attempt:
1 2 |
db2inst1@linux-lzeo:~> gsk8capicmd -keydb -create -db klicenka.p12 -pw eagle -strong -type pkcs12 -stash CTGSK3048W The password is weak. |
I think all parameters are +- intuitive. Just -strong is forcing strong password (eagle is not a strong password, indeed) and -stash is creating stash file, useful when you want to provide password when database starts. Second attempt:
1 2 |
db2inst1@linux-lzeo:~> gsk8capicmd -keydb -create -db klicenka.p12 -pw E_@$%llag1e1221# -strong -type pkcs12 -stash db2inst1@linux-lzeo:~> |
seems ok for us – you can check newly created files:
1 2 3 |
db2inst1@linux-lzeo:~> ll klic* -rw------- 1 db2inst1 db2iadm1 0 Jan 31 22:32 klicenka.p12 -rw------- 1 db2inst1 db2iadm1 129 Jan 31 22:32 klicenka.sth |
3) Connecting DB2 with stash
As you can imagine, all this is leading to change some parameter, pointing into .p12 file. Exactly! Please all, welcome 2 brand new parameters for database manager: KEYSTORE_TYPE and KEYSTORE_LOCATION.
Ok, so we adjust these values according our case and change dbm cfg:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
db2inst1@linux-lzeo:~> db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst1/klicenka.p12 DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. db2inst1@linux-lzeo:~> db2stop 01/31/2015 22:43:19 0 0 SQL1032N No start database manager command was issued. SQL1032N No start database manager command was issued. SQLSTATE=57019 db2inst1@linux-lzeo:~> db2start SQL8007W There are "89" day(s) left in the evaluation period for the product "DB2 Advanced Enterprise Server Edition". For evaluation license terms and conditions, refer to the License Agreement document located in the license directory in the installation path of this product. If you have licensed this product, ensure the license key is properly registered. You can register the license by using the db2licm command line utility. The license key can be obtained from your licensed product CD. 01/31/2015 22:43:24 0 0 SQL1063N DB2START processing was successful. SQL1063N DB2START processing was successful. db2inst1@linux-lzeo:~> |
4) Creating encrypted database
Here we go!
1 2 3 |
db2inst1@linux-lzeo:~> db2 create database tst_enc encrypt DB20000I The CREATE DATABASE command completed successfully. db2inst1@linux-lzeo:~> |
And that’s all.
5) Verification
We will create tst database (non-encrypted) with tst1 table consisting of one column, credit card number. We will try to retrieve this CC# by strings command (just reminding my older post):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
db2 => create database tst DB20000I The CREATE DATABASE command completed successfully. db2 => connect to tst Database Connection Information Database server = DB2/LINUXX8664 10.5.5 SQL authorization ID = DB2INST1 Local database alias = TST db2 => create table tst1(cc varchar(19)) DB20000I The SQL command completed successfully. db2 => insert into tst1 values('4255-8613-9716-5076') DB20000I The SQL command completed successfully. db2 => commit DB20000I The SQL command completed successfully. db2 => select TBSPACEID from syscat.tables where TABNAME='TST1' TBSPACEID --------- 2 1 record(s) selected. db2 => LIST TABLESPACE CONTAINERS FOR 2 Tablespace Containers for Tablespace 2 Container ID = 0 Name = /home/db2inst1/db2inst1/NODE0000/TST/T0000002/C0000000.LRG Type = File db2 => quit DB20000I The QUIT command completed successfully. db2inst1@linux-lzeo:~> time strings -a /home/db2inst1/db2inst1/NODE0000/TST/T0000002/C0000000.LRG | grep "[0-9]\{4\}\-[0-9]\{4\}\-[0-9]\{4\}\-[0-9]\{4\}" 4255-8613-9716-5076 real 0m0.340s user 0m0.284s sys 0m0.000s |
As you can see, CC# was discovered without any troubles.
Now we can try the same actions in tst_enc database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
db2 => create table tst1(cc varchar(19)) DB20000I The SQL command completed successfully. db2 => insert into tst1 values('4255-8613-9716-5076') DB20000I The SQL command completed successfully. db2 => commit DB20000I The SQL command completed successfully. db2 => select TBSPACEID from syscat.tables where TABNAME='TST1' TBSPACEID --------- 2 1 record(s) selected. db2 => LIST TABLESPACE CONTAINERS FOR 2 Tablespace Containers for Tablespace 2 Container ID = 0 Name = /home/db2inst1/db2inst1/NODE0000/TST_ENC/T0000002/C0000000.LRG Type = File db2 => quit DB20000I The QUIT command completed successfully. db2inst1@linux-lzeo:~> time strings -a /home/db2inst1/db2inst1/NODE0000/TST_ENC/T0000002/C0000000.LRG | grep "[0-9]\{4\}\-[0-9]\{4\}\-[0-9]\{4\}\-[0-9]\{4\}" real 0m0.533s user 0m0.328s sys 0m0.056s db2inst1@linux-lzeo:~> |
Data are stored encrypted, as we wished.
You can find more information about this new feature on website + check this article.
-a-