To prepare a destination instance for an out-of-place restore from another instance, import the encryption key of the source instance on the destination instance.
Procedure
-
On the source instance, do the following:
-
Connect to the database using the following command:
db2 connect to <DB name>
-
Get the database label using the following command:
db2 "select MASTER_KEY_LABEL from TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO()) where OBJECT_NAME='<DB name>' and OBJECT_TYPE='DATABASE'"
-
Copy the database label.
-
Export the encryption key using the following command:
gsk8capicmd_64 -cert -export -db <Src encryption key db> -stashed -label <label copied in step 1c> -target <export path>\<export file name>.raw -target_type pkcs12 -target_pw <password>
-
-
On the destination, do the following:
-
Create the encryption Key using the following commands:
gsk8capicmd_64 -keydb -create -db <src encryption key db> -pw <password> -strong -type pkcs12 -stash db2 update dbm config using KEYSTORE_LOCATION <encryption Key DB location> KEYSTORE_TYPE PKCS12 DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed
-
Restart the database instance.
-
Copy the raw file generated on source, to destination.
-
Import the encryption key using the following command:
gsk8capicmd_64 -cert -import -db <exported key location> -pw "<exported key password>" -stashed -target <encryption key DB location> -target_type pkcs12
-
To verify if the key is imported to destination and the source database label is visible, run the following command:
gsk8capicmd_64 -cert -list -db <encryption key DB location> -stashed
-