Informix 14.10 Key Storage

Abstract

Informix 14.10 Key Storage, onkstore, is a new key store utility that ships with Informix 14.10.

Informix 12.10 added the ability to encrypt your database server at the storage level with the Encryption At Rest facility (see technical article here).  While this is an extremely useful security feature, it did create a new problem of how and where to store the encryption keys.

This new program can generate both local and cloud encryption keys that can be used with EAR and for backup encryption (see technical article here).

In this article, we will demonstrate how to create a local key store for EAR.

Content

The onkstore utility supports creating local and cloud key stores.  At the time of writing, the AWS, Azure and KMIP cloud services are supported.  For simplicity, in this article we will be generating a local key store.

To create a local 192-bit key store:

This should generate the following output:

aes128, aes192 and aes256 ciphers are supported.  As no password was provided (one may be passed with the -pw option), this is internally generated and stored in the .sth (stash) file.

This keystore can now be used for EAR in the DISK_ENCRYPTION onconfig parameter:

It’s important the cipher matches that used to create the key store with onkstore.  We would recommend using the keystore.$INFORMIXSERVER standard naming convention for the files.

The local file keystore can be located anywhere accessible to the database engine, but the parent directory must have read permission for user and group informix.  The default location is ${INFORMIXDIR}/etc if no path is given.

As well as local, key stores may also be generated in the cloud (such as with AWS: type AWS_EAR); however, due to GDPR regulations, the keys will also need to be stored locally.  Specifying type AWS_EAR (or other cloud types) will prompt for AWS login credentials – you must have an AWS account set up prior to this.  Cloud key stores may be verified by using the -verify option to the onkstore utility.

If you have upgraded from version 12.10 and have an existing EAR key store, this can be converted to the new standard with the -convert option:

A backup of the old key is created in a .bak file.

Setting DISK_ENCRYPTION alone does not automatically encrypt your dbspaces.  To do this, you’ll need to backup your database and restore it as encrypted dbspaces.  Please see our separate technical article on this here.  To check if EAR is enabled, onstat -d will show an ‘E’ in the flags column in the dbspace listing:

Caveats

You will need to have the IBM Global Security Kit (gskit) installed; version 8.0.55.9 was released with IDS 14.10.XC3.  Encryption will have some minor CPU overhead.  While onkstore removes some of the issues with key storage, we would still strongly recommend a copy of the encryption key is stored securely elsewhere off the server.  While cloud storage ensures your keys are safe, the cloud service must be available as and when the keys are required (including when Informix is started or a backup/restore is performed).

Conclusion

Key management was something that was missing from earlier versions of IDS.  This new utility takes some of the headache away for creating and managing encryption keys.  The ability to store keys in the cloud adds extra peace of mind your keys are safe.

Disclaimer

Suggestions above are provided “as is” without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.

Contact us

If you have any questions regarding Informix 14.10 Key storage or would like to find out more, simply contact us.