Preparing a Destination DB2 Database Instance for Encrypted Database Restore

To prepare a destination instance for an out-of-place restore from another instance, import the encryption key of the source instance on the destination instance.

Procedure

  1. On the source instance, do the following:

    1. Connect to the database using the following command:

      db2 connect to <DB name>
    2. Get the database label using the following command:

      db2 "select MASTER_KEY_LABEL from TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO()) where OBJECT_NAME='<DB name>' and OBJECT_TYPE='DATABASE'"
    3. Copy the database label.

    4. Export the encryption key using the following command:

      gsk8capicmd_64 -cert -export -db <Src encryption key db> -stashed -label <label copied in step 1c> -target <export path>\<export file name>.raw -target_type pkcs12 -target_pw <password>
  2. On the destination, do the following:

    1. Create the encryption Key using the following commands:

      gsk8capicmd_64 -keydb -create -db <src encryption key db> -pw <password> -strong -type pkcs12 -stash
      db2 update dbm config using KEYSTORE_LOCATION <encryption Key DB location> KEYSTORE_TYPE PKCS12
      DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
    2. Restart the database instance.

    3. Copy the raw file generated on source, to destination.

    4. Import the encryption key using the following command:

      gsk8capicmd_64 -cert -import -db <exported key location> -pw "<exported key password>" -stashed -target <encryption key DB location> -target_type pkcs12
    5. To verify if the key is imported to destination and the source database label is visible, run the following command:

      gsk8capicmd_64 -cert -list -db <encryption key DB location> -stashed

Loading...