DB2 Version 9.7 for Linux, UNIX, and Windows

Data encryption

The DB2® database system offers several ways to encrypt data, both while in storage, and while in transit over the network.

Encrypting data in storage

You have the following options for encrypting data in storage:

You can use the encryption and decryption built-in functions ENCRYPT, DECRYPT_BIN, DECRYPT_CHAR, and GETHINT to encrypt your data within database tables.
Note: These functions use algorithms that are not compliant with NIST SP 800-131A. If you must comply with NIST SP 800-131A, these functions must not be used. If compliance to NIST SP 800-131A is not an issue, these functions are still valid.
You can use IBM® Database Encryption Expert to encrypt the underlying operating system data and backup files.
If you are running a DB2 Enterprise Server Edition system on the AIX® operating system, and you are interested in file-level encryption only, you can use encrypted file system (EFS) to encrypt your operating system data and backup files.

Encrypting data in transit

To encrypt data in-transit between clients and DB2 databases, you can use the DATA_ENCRYPT authentication type, or, the DB2 database system support of Secure Sockets Layer (SSL).

Note: DATA_ENCRYPT and SERVER_ENCRYPT with DES use algorithms that are not compliant with NIST SP 800-131A. If you must comply with NIST SP 800-131A, they must not be used. If compliance to NIST SP 800-131A is not an issue, they are still valid.

Using the ENCRYPT, DECRYPT_BIN, DECRYPT_CHAR, and GETHINT functions

The ENCRYPT built-in function encrypts data using a password-based encryption method. These functions also allow you to encapsulate a password hint. The password hint is embedded in the encrypted data. Once encrypted, the only way to decrypt the data is by using the correct password. Developers that choose to use these functions should plan for the management of forgotten passwords and unusable data.

The result of the ENCRYPT functions is VARCHAR FOR BIT DATA (with a limit of 32631).

Only CHAR, VARCHAR, and FOR BIT DATA can be encrypted.

The DECRYPT_BIN and DECRYPT_CHAR functions decrypt data using password-based decryption.

DECRYPT_BIN always returns VARCHAR FOR BIT DATA while DECRYPT_CHAR always returns VARCHAR. Since the first argument may be CHAR FOR BIT DATA or VARCHAR FOR BIT DATA, there are cases where the result is not the same as the first argument.

The length of the result depends on the bytes to the next 8 byte boundary. The length of the result could be the length of the data argument plus 40 plus the number of bytes to the next 8 byte boundary when the optional hint parameter is specified. Or, the length of the result could be the length of the data argument plus 8 plus the number of bytes to the next 8 byte boundary when the optional hint parameter is not specified.

The GETHINT function returns an encapsulated password hint. A password hint is a phrase that will help data owners remember passwords. For example, the word "Ocean" can be used as a hint to remember the password "Pacific".

The password that is used to encrypt the data is determined in one of two ways:

Password Argument. The password is a string that is explicitly passed when the ENCRYPT function is invoked. The data is encrypted and decrypted with the given password.
Encryption password special register. The SET ENCRYPTION PASSWORD statement encrypts the password value and sends the encrypted password to the database manager to store in a special register. ENCRYPT, DECRYPT_BIN and DECRYPT_CHAR functions invoked without a password parameter use the value in the ENCRYPTION PASSWORD special register. The ENCRYPTION PASSWORD special register is only stored in encrypted form.
The initial or default value for the special register is an empty string.

Valid lengths for passwords are between 6 and 127 inclusive. Valid lengths for hints are between 0 and 32 inclusive.