IBM DB2 and Thales Luna HSMs - Integration Guide

This document is intended to guide security administrators through the steps for the IBM DB2 Integration with Thales HSM, and also covers the necessary information to install, configure and integrate IBM DB2 with Thales HSM.

IBM DB2 encrypt the databases and backup images using DB2 native encryption. Native encryption provides transparent and secure key management and requires no changes to your hardware, software, applications, or schemas.

The primary benefit of a PKCS #11 keystore is the protection it provides to encryption keys. This protection is accomplished by imposing a restriction that keys never leave the secure environment of the keystore. Data on disk is encrypted with a data encryption key (DEK) that is stored with the database.

The DEK, in turn, is encrypted by a master key (MK), which is stored externally to the database. The DEK is sent to the PKCS #11 keystore, where it is decrypted by the MK. The only exception to this principle of keys not leaving the keystore is when migrating keys from a local keystore file to a PKCS #11 keystore. In such cases, these keys are marked as external. However, an immediate key rotation following migration will start to make use of internally defined keys.

Using a PKCS #11 keystore is more secure alternative, when you have multiple databases and you do not want to maintain individual keystores.

The following are the benefits of using Thales HSMs to secure the IBM DB2 Master Key:

  • Secure generation, storage and protection of the encryption key on FIPS 140-2 level 3 validated hardware.
  • Full life cycle management of the keys.
  • HSM audit trail.
  • Take advantage of cloud services with confidence.
  • Significant performance improvements by off-loading cryptographic operations from application servers.