Storage space encryption

You can encrypt storage spaces. The data in encrypted storage spaces is unintelligible without the encryption key. Encrypting storage spaces is an effective way to protect sensitive information that is stored on disk.

You must have IBM® Global Security Kit (GSKit) installed to enable storage space encryption. GSKit is installed by default when you install the database server.

You enable storage space encryption by setting the DISK_ENCRYPTION configuration parameter and restarting the database server. You set the DISK_ENCRYPTION configuration parameter to a name for the keystore and password files. Encryption keys are automatically generated and stored in the keystore file. The password for the keystore file is stored in a stash file. Each storage space is encrypted separately with its own encryption key. By default, the encryption cipher is set to AES with 128-bit keys. You can specify a stronger encryption key by including the cipher option in the DISK_ENCRYPTION configuration parameter value.

Any storage space that you create when storage space encryption is enabled is automatically encrypted, unless you explicitly specify to create it as unencrypted. If you initialize a new database server before setting the DISK_ENCRYPTION configuration parameter, the root dbspace is not encrypted. You can however, encrypt unencrypted storage spaces, including the root dbspace, by running a restore that encrypts the spaces.

Parent topic: Securing data
Copyright© 2020 HCL Technologies Limited