DB2 Native Encryption on Windows

DB2 10.5 on Windows

Does anyone have any experience with Native Encryption for DB2 on Windows.  Or Linux?  From what I have read, it should be transparent to the users but I have to assume there is overhead involved somewhere.  

The main thing I have read is that backups can take up to 3x longer.

Any insights would be appreciated!

Thank you!

Jim
Jim YoumansSr Database AdministratorAsked:
Who is Participating?
 
Kent OlsenData Warehouse Architect / DBACommented:
Hi Jim,

I've never used DB2's Native Encryption, but I do have a long background with DB2 and other encryption protocols.

You're correct that the encryption is (mostly) transparent to the user.  For the most part your SQL won't decrypt the data unless it needs to be displayed or tested in unencrypted form.  (Testing A<B on the encrypted data probably doesn't do what the user wants.  Testing A=B does properly compare for equality.)  You probably don't want a clustered index on an encrypted column.  If the sort order is based on the encrypted value you lose the intended order and its benefits.  If the sort order is based on the displayed data, the indexes have to be decrypted for each access.  Both are problematic.

Backups do take longer.  I wouldn't have expected triple, but my research shows that it can take that long.  Depending on the underlying hardware, copying a normal data block can be as efficient as a single instruction.  Every bit of the overhead is I/O.  Encrypting the block as part of the copy process moves the overhead from I/O to serial CPU.  The encryption process doesn't lend itself to parallelism, so the limiting factor becomes the processing power of a single CPU/core.  Again, I'm surprised that the overhead would triple the backup time as CPUs can execute a LOT of instructions on in-cache data!


I hope this little insight is helpful.  
Kent
0
 
Tomas Helgi JohannssonCommented:
Hi!

One thought on this besides the points Kent mentioned. As Kent mentioned backups with encryption will take longer and the backupimage will take significantly more space if you don't specify also specify compress or use the db2compr_encr library.
A good key-management procedures and storage will have to be in place as well before using encryption to be able to restore encrypted backup images. If the masterkey or keystore is missing or unusable then the database or backup-image is unusable as well.

https://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0061766.html
http://db2commerce.com/2015/09/29/db2-backups-when-using-native-encryption/

Regards,
    Tomas Helgi
0
 
Jim YoumansSr Database AdministratorAuthor Commented:
Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.