Toad World® Forums

DB2 database backup encryption

Hi,

I want to take encrypted backup of my existing database which is not encrypted.

DB is 10.5.0.3 and OS is Linux

db2 backup database sample encrypt does not work, it give me an error “SQL0104N An unexpected token “encrypt” was found following “SAMPLE”. Expected tokens may include: “USER”. SQLSTATE=42601”

You should probably check your syntax for the Database version you are using.

A good starting point would be to consult the IBM documentation at:

www-01.ibm.com/…/welcome.html

For some older DB2 versions you might need to use the COMPRESS clause instead of the ENCRYPT clause…

ENCROPT parameter is set to null by default.

I am getting error while updating parameter ENCROPT.

$ db2 update database cfg for testdb using ENCROPTS ‘CIPHER=AES:MODE=CBC:KEY LENGTH=256’

SQL0104N An unexpected token “LENGTH=256? was found following “”. Expected tokens may include: “ALT_COLLATE”. SQLSTATE=42601

Have you tried instead putting the encryption options in the backup database command? Is there a reason that won’t work for you?

I see the problem now. Native encryption was introduced in 10.5 Fixpack 5. You’re on Fixpack 3.

I have installed latest pack 6. Now db is on Fixpack ‘6’, But still receiving error.

db2 BACKUP DATABASE sampleTO /db2backup/ ENCRYPT ENCRLIB ‘libdb2encr.so’ ENCROPTS ‘Cipher=AES:Key Length=256’

SQL0104N An unexpected token “Length=256” was found following “”.

Expected tokens may include: “INCLUDE”. SQLSTATE=42601

From IBM documentation both the CIPHER and KEY LENGTH are optional.

“Cipher is optional. Valid values are AES and 3DES (the default is AES).”

“Key length is optional. Valid values for AES are 128, 192, and 256 (the default is 256), and the only valid value for 3DES is 168.”

www-01.ibm.com/…/r0001933.html

Edit: I would try and use your command without the ENCROPTS option.

db2 BACKUP DATABASE sample TO /db2backup/ ENCRYPT ENCRLIB ‘libdb2encr.so’

I have execute the command without ENCROPTS option and it gives me an error.

db2 BACKUP DATABASE sample TO /db2backup/ ENCRYPT ENCRLIB ‘libdb2encr.so’

SQL2062N An error occurred while accessing media “libdb2encr.so”. Reason code: “1”.

libdb2encr.so file is located in /home/db2inst1/sqllib/lib64/ location.

ls -ltr /home/db2inst1/sqllib/lib64/libdb2encr.so

-r–r--rr-- 1 bin bin 48924 Dec 17 17:42 /home/db2inst1/sqllib/lib64/libdb2encr.so

Have you followed the steps listed in the link below?

www-01.ibm.com/…/t0061766.html

  1. Ensure that the path to the IBM® Global Security Kit (GSKit) libraries appears in the LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH environment variable on Linux or UNIX-based platforms.

  2. Create a PKCS#12-compliant keystore (a storage object for encryption keys) by using the gsk8capicmd (or gsk8capicmd_64) GSKit command.

  3. Add a master key to the keystore.

If your database is not encrypted, but you want to encrypt a backup image, perform one of the following actions:

(a) Add a master key to the keystore and specify the label for that master key on the BACKUP DATABASE command.

(b) Set the encrlib and encropts database configuration parameters to valid non-null values. In this case, you do not have to specify the master key label on the BACKUP DATABASE command, because it is implicitly specified by the value of the encropts configuration parameter.

  1. Configure the DB2 instance with the new keystore by setting the keystore_type and keystore_location database manager configuration parameters.