Informix Storage and Backup Encryption

Abstract

GDPR is causing many companies to revise their policies regarding data privacy, and encrypting data may help meet some of the requirements. Fortunately, storage space (dbspace) encryption (otherwise known as "Encryption at rest" or EAR) is a very easy-to-use feature available in all Informix Dynamic Server (IDS) editions since version 12.10.xC8. No application changes are required.

This should be combined with encryption of backups – both archives and logical logs – whether created via "onbar" or "ontape":

  1. Prior to IDS 10, this had to be performed after backup files had been created.
  2. IDS 10 allowed backup or restore via any pipe with "ontape -t STDIO", but only for archives.
  3. From IDS 11, configuration parameters exist to pass all backups and restores through specified filter commands, which is ideal for in-line compression and encryption.

This article explains the steps involved in implementing both storage and backup encryption (using method 3 above) on supported IDS versions.

Content

All commands shown below should be run as user "informix".

For storage encryption, first make sure that the IBM Global Security Kit (GSKit) is set up. For example, the installer is present but not yet run in either of these free Docker images:

https://hub.docker.com/r/ibmcom/informix-innovator-c
https://hub.docker.com/r/ibmcom/informix-developer-database

You can fix that with:

sudo $INFORMIXDIR/gskit/installgskit

It doesn't seem to cause any harm if the above is repeated unnecessarily. Note that the installed GSKit location varies with platform, for example:

Linux: /usr/local/ibm/gsk8_64     AIX: /usr/opt/ibm/gsk8_64

Next, you need to add a line such as this to the $INFORMIXDIR/etc/$ONCONFIG file:

DISK_ENCRYPTION keystore=keystore.$INFORMIXSERVER

The exact line above is recommended which automatically handles multiple instances. For example, if the Informix server name is "test", the following files will be created automatically in the same directory:

keystore.test.p12
keystore.test.sth

There are other options that can be appended, but none of them essential:

www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.ibm.adref.doc/ids_adr_1199.htm

The default cipher is 128-bit AES.

If the above is in place before you first initialize an instance for the first time with "oninit -iv", all dbspaces will be encrypted from the outset.

If you wish to encrypt all dbspaces for an existing instance, set up the above and then perform a level 0 archive, stop the instance, and restore it again specifying encryption. For example, using "ontape" with a directory in configuration parameter TAPEDEV, these are the necessary commands:

ontape -s -L 0 -d
onmode -ky
ontape -p -encrypt -d
onmode -m # (or "onmode -d ..." for a replica)

Note that, should you need to perform a cold restore of a previously encrypted instance, it will fail unless the key files are removed beforehand with:

cd $INFORMIXDIR/etc
rm keystore.$INFORMIXSERVER.*

Should you wish to have only some dbspaces encrypted, this can be achieved by using the "onspaces" command to create individual dbspaces with or without the "-u" (unencrypted) option, for example:

onspaces -c -d space1 -p work3/AB/chunk5 -o 0 -s 10000 -u

www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.ibm.adref.doc/ids_adr_0466.htm

You can check which dbspaces are encrypted with "onstat -d", which shows "E" in the "flags" column where applicable (whereas "E" would mean "expandable" in the second "Chunks" list):

Dbspaces
address          number   flags      fchunk   nchunks  pgsize   flags    owner   name
4484a028         1        0x10020001 1        1        2048     N  BAE   informix rootdbs
45ed5b30         2        0x20001    2        1        2048     N  BA    informix space1

www.ibm.com/support/knowledgecenter/en/SSGU8G_12.1.0/com.ibm.adref.doc/ids_adr_0504.htm

Backup encryption is equally straightforward. This article assumes the use of "openssl" as it is the most portable tool, for example it's available as standard on both Linux and AIX. The main alternative on Linux is "pgp", but no binary installer exists at this time for AIX 7.

We first need to create a file in a secure location containing the encryption password on one line:

cd $INFORMIXDIR/etc
mkdir .openssl
cd .openssl
vi backup_key
chmod -R og-rwx .

The contents entered with "vi" above could be 128 bytes randomly generated here:

www.browserling.com/tools/random-string

Next, create a filter script with two names as follows:

cd $INFORMIXDIR/bin
vi backup_filter.sh
chmod 700 backup_filter.sh
ln backup_filter.sh restore_filter.sh

The shell script contents entered with "vi" above could be as follows:

# Informix backup/restore compress/encrypt filter
# Doug Lawry, Oninit Consulting, May 2018

cd $INFORMIXDIR/etc/.openssl || exit 1

CMD="openssl enc -aes-128-cbc -pass file:backup_key"

case $0 in
*backup*) gzip | $CMD -e ;;
*restore*) $CMD -d | gunzip ;;
*) echo "$0: cannot derive mode from name" 1>&2 ; exit 2 ;;
esac

Finally, set configuration parameters to use the above automatically:

vi $INFORMIXDIR/etc/$ONCONFIG

The new settings entered with "vi" above should be:

BACKUP_FILTER  backup_filter.sh
RESTORE_FILTER restore_filter.sh

The solution above assumes that, as well as encryption, "gzip" compression is desired, as it often is.

On later versions of "openssl", you may find the "-z" option is supported which similarly performs compression with the "zlib" library. This would reduce the number of processes and in theory make it possible to do without the shell script.

Otherwise, pipe symbols in BACKUP_FILTER or RESTORE_FILTER cause the operation to fail, even if quoted as documented, so there is no choice but to have a script. There are in any case other advantages, such as having the cipher details and password location defined once, and the latter not accessible to other users with "ps -f".

On larger systems with many CPU cores, consider compiling and using the much faster multi-threaded implementation of "gzip" available here:

https://zlib.net/pigz

The cipher chosen in the filter script is 128-bit AES (the same as the DISK_ENCRYPTION default). It uses around 10% of the CPU used by "gzip" during a backup and 50% during a restore. You could go up to 256-bit with a modest performance penalty.

Caveats

You obviously need to copy encryption key files from $INFORMIXDIR/etc to another secure location any time they change. Otherwise:

  1. If the disk encryption key files (*.p12 and *.stm) were lost, Informix would stay running as the keys are cached, but you would be unable to restart the instance without a full restore.

  2. If the backup encryption key file (.openssl/*) was lost, you could recreate it with new contents, but you would not be able to restore from previous backups.

Beware that setting BACKUP_FILTER and RESTORE_FILTER for whatever purpose causes the "archecker" and "onlog" tools to fail prior to IDS 11.50.xC7W1 due to defects such as:

IC68956  Reading of archived logical logs using the onlog utility does not work if BACKUP_FILTER /usr/bin/gzip is used

Conclusion

Assuming a small CPU overhead is acceptable, there is every reason to implement storage and backup encryption if your databases contain personal or sensitive data. Everything you need to know is given in this article, and it's not that difficult to implement.

Disclaimer

Suggestions above are provided "as is" without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.