Encryption - AWS Prescriptive Guidance

Encryption

When it comes to encryption, there are two focus areas:

  • Encryption in transit

  • Encryption at rest

Db2 native encryption is built into Db2 to protect the data at rest by encrypting the data when it's written to disk. Db2 native encryption uses a standard two-tier model. The actual data is encrypted with a Db2 Data Encryption Key (DEK) and the DEK is encrypted with a Db2 master key (MK). The DEK is managed within the database while the MK is stored externally in a key store.

To achieve encryption at rest, Amazon Elastic Block Store (Amazon EBS) volume encryption is preferred over Db2 native encryption on AWS because you can use cloud-native solutions for setup and scaling. EBS volume encryption also helps to eliminate unnecessary operational overheads and time spent for setting up the native encryption while migrating multiple database servers. For more information, see the blog post Architecting for database encryption on AWS.

Encryption in transit is relevant for the following data communications:

  • Between the client and the server

  • Between primary and standby high availability disaster recovery (HADR) servers

  • Between the database server and external services

The data being transmitted is encrypted by using TLS. In addition, Db2 supports internal encryption of the user ID and password by using the server-side parameter AUTHENTICATION.

TLS uses libraries from the IBM Global Security Kit (GSKit), which provides a secure tunnel for data that is being sent and stores the certificates securely within the key store.

The following diagram shows the TLS handshake between the client and the server.

""

  1. The client requests a TLS connection and lists its supported cipher suites.

  2. The server responds with a selected cipher suite and a copy of its digital certificate, which includes a public key.

  3. The client checks the validity of the certificate. If the certificate is valid, a session key and message authentication code (MAC) are encrypted with the public key and sent back to the server.

  4. The server decrypts the session key and MAC. Then the server sends an acknowledgement to start an encrypted session with the client.

  5. The server and client securely exchange data using the session key and the MAC.

When the certificates expire, you must renew the certificates and update them in the key store.

Starting with Db2 version 11.5.6, you can include hostname validation while configuring TLS. Hostname validation helps the client connection to validate that the hostname in the server certificate matches the hostname in the client. This validation can help to prevent person-in-the-middle attacks. In addition to this, you can configure the TLSVersion parameter on the client. Starting with Db2 version 11.5.8, TLS 1.3 is supported.