To prepare a destination instance for an out-of-place restore from another instance, import the encryption key of the source instance on the destination instance.
Procedure
-
On the source instance, do the following:
-
Connect to the database using the following command:
db2 connect to DB name -
Get the database label using the following command:
db2 "select MASTER_KEY_LABEL from TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO()) where OBJECT_NAME='DB name' and OBJECT_TYPE='DATABASE'" -
Copy the database label.
-
Export the encryption key using the following command:
gsk8capicmd_64 -cert -export -db Src encryption key db -stashed -label label copied in step 1c -target export path\export file name.raw -target_type pkcs12 -target_pw password
-
-
On the destination, do the following:
-
Create the encryption Key using the following commands:
gsk8capicmd_64 -keydb -create -db Src encryption key db -pw password -strong -type pkcs12 -stash db2 update dbm config using KEYSTORE_LOCATION encryption key DB location KEYSTORE_TYPE PKCS12 DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed -
Restart the database instance.
-
Copy the raw file generated on source, to destination.
-
Import the encryption key using the following command:
gsk8capicmd_64 -cert -import -db exported key location -pw "exported key password" -stashed -target encryption key DB location -target_type pkcs12 -
To verify if the key is imported to destination and the source database label is visible, run the following command:
gsk8capicmd_64 -cert -list -db encryption key DB location -stashed
-