Introduction
This guide describes how to integrate and use Entrust Security World software and Entrust Security nShield Hardware Security Modules (HSMs) with an IBM Db2 database.
IBM Db2 encrypts databases and backup images using Db2 native encryption. Native encryption provides transparent and secure key management without requiring changes to existing hardware, software, applications, or database schemas.
A key advantage of using a PKCS #11 keystore is the strong protection it provides for encryption keys. This protection is achieved by enforcing the principle that keys never leave the secure boundary of the keystore. Database data at rest is encrypted using a Data Encryption Key (DEK), which is stored with the database.
The DEK itself is encrypted by a master key (MK) that is stored externally to the database. When access is required, the DEK is sent to the PKCS #11 keystore, where it is decrypted using the MK. The only exception to the rule that keys never leave the keystore occurs during the migration of keys from a local keystore file to a PKCS #11 keystore. In this scenario, migrated keys are marked as external. Performing an immediate key rotation after migration transitions usage to internally generated keys within the PKCS #11 keystore.
Using a PKCS #11 keystore is a more secure alternative, particularly in environments with multiple databases where maintaining individual keystores would be complex and error-prone. Using Entrust HSMs to protect the IBM Db2 master key provides the following benefits:
-
Secure generation, storage, and protection of encryption keys on FIPS 140-2 Level 3 validated hardware.
-
Full lifecycle management of cryptographic keys.
-
Comprehensive HSM audit logging.
-
Confidence when adopting cloud-based services.
-
Improved performance by offloading cryptographic operations from application servers.
Documents to read first
To install and configure the Entrust HSM, refer to the relevant User Guide and Installation Guide. You can access them from the Entrust Document Library and from the nShield Product Documentation website.
Also refer to the IBM Db2 online documentation.
Requirements
Ensure that you are using supported versions of Entrust nShield products, IBM Db2, and third-party products. See Product configurations.
To perform the integration tasks, you must have:
-
rootaccess on the operating system. -
Access to
nfastaccounts.
Before starting the integration process, familiarize yourself with:
-
The documentation for the HSM.
-
The documentation and setup process for the IBM Db2 server.
Before using the nShield software, you need to know:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.
-
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
-
Whether the security world should be compliant with FIPS 140 Level 3.
If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
For more information, refer to the User Guide and Installation Guide for the HSM.
Product configurations
The integration between the IBM Db2 Server and Entrust HSMs has been successfully tested in the following configurations:
| Product | Version |
|---|---|
Linux |
Red Hat Enterprise Linux 9 |
IBM Db2 Server |
12.1.4 |
Hotfix
It is important to note that this integration requires the hotfix "TAC-1325".
After installing the Security World Software, make sure the hotfix is installed. This hotfix contains an updated version of the nShield pkcs11 library for Security World v13.6.15 on the Linux platform. It addresses an issue where the PKCS#11 CMAC output length was set to half the block size (8 bytes instead of 16 bytes).