Informix 14.10 - EAR - Encryption At Rest (Dbspaces and Backups) with multiple levels of ciphers

Disk Encryption - Operational Data Only
Up to IDS 12.10 the encryption was allowed only on the operational data on the dbspaces that the server actively performing read/write operations. The Backup data are not encrypted although there is a provision to give control to the end-user to do it via BACKUP_FILTER and RESTORE_FILTER. IDS does not control any encryption that is done with this method and hence takes no responsibility if the encryption key is lost or due to some other reason the decryption becomes impossible.

In order to encrypt the operational data, all needed is to configure the onconfig parameter DISK_ENCRYPTION. It uses keystore file ($INFORMIXDIR/etc/*.p12) and stash file ($INFORMIXDIR/etc/*.sth) to support the encryption. These files are created automatically in 12.10 when DISK_ENCRYPTION is configured.

The keystore file is used to store the encryption key and stash file contains the password to open the keystore file where encryption key is stored.  These files have read privilege for the default DBA "informix" user. This is great and provides at most security to the data as long as we don't loose these files either intentionally or unintentionally. 

What is new in 14.10 w.r.t encryption?

Informix Database 14.10 has come up with a new tool "onkstore". This has opened up new possibilities to have multiple types and ways of storing the encryption keys and paved way to support the KMIP compliance in future versions. It also supports the "local" type that creates the keystore and stash files locally that is exactly same as 12.10.

The supported types are:
                        - local              ---- Locally stored file for EAR same as 12.10
                        - AWS_EAR   ---- Stored and managed by Amazon Web Services
                        - AWS_BAR   ---- Stored and managed by Amazon Web Services

Now it is possible to specify the AWS_EAR for the DISK_ENCRYPTION to store the encryption key safely in AWS and IDS will automatically read this from AWS during the boot to read and keep it for further encryption and decryption. This has removed the possibility of loosing the files and jeopardizing the safety of data and makes it impossible to decrypt. 

Similarly, for the backups, we introduced 2 new configuration parameters BAR_ENCRYPTION and BAR_DECRYPTION (optional) in 14.10 to have an encrypted backup. For this, we only support AWS_BAR type (as of now but never the local type) so that we have a provision to regenerate the keystore and stash files even if we loose the one stored locally. This is a big leap to data privacy and security for all the data at rest (ie. the data stored on the disk - be it operational or the backups).

For the application that uses BACKUP_FILTER or RESTORE_FILTER, IDS 14.10 also supports "keyfile" instead of "keystore" to be absolutely sure that keystore does not support the local file while the keyfile can specify the local file to read the encryption key that is encrypted using base64 format.

The Backups in IDS 14.10 can also be safely encrypted and safely decrypt during the restore with out worrying about the loss of the encryption key when creating the encryption key of type AWS_BAR.

Configuration
  • DISK_ENCRYPTION  keystore=<abs_path/keystore_name>,cipher={aes128 | aes192 | aes256}
  • BAR_ENCRYPTION  {keyfile | keystore}=<abs_path/keystore_name>,cipher={aes128 | aes192 | aes256}
  • BAR_DECRYPTION  {keyfile | keystore}=<abs_path/keystore_name>

Related files

IDS 14.10 server needs the following files to successfully come up. Alternatively, these files can be created in different directories also as long as the absolute path is specified in the configuration. If the absolute path (ie. abs_path in above configuration section) is not specified, the default path would be the $INFORMIXDIR/etc directory.

$INFORMIXDIR/etc/keystore.p12
$INFORMIXDIR/etc/keystore.sth

To interpret these files IDS also bundles GSKit that can be installed from $INFORMIXDIR/gskit/installgskit. When the IDS 14.10 is installed, this gets automatically installed and hence no separate installation is required.

Check if Encryption is Enabled

There are multiple ways you can figure out if the encryption is enabled or not. Here are few.

  •  onstat –g cfg  | grep DISK_ENCRYPTION
    • Shows: DISK_ENCRYPTION  keystore=ids_keystore,cipher=aes128
  • oncheck –pr | grep Encryption
    • Shows:  Encryption-at-rest is enabled using cipher 'aes128'
  • SELECT from sysmaster.sysshmhdr
    • Shows:  298 sh_disk_encryption   1
  • SELECT name FROM sysmaster:sysdbspaces WHERE is_encrypted = 1;
    • name encrypted_dbs1
    • name encrypted_dbs2
    • 2 row(s) retrieved
  • Verbose of oninit -v
    • Shows: Initializing encryption-at-rest structures (part 2)...succeeded
  • onstat -d
    • IBM Informix Dynamic Server Version 14.10.FC1 --On-Line --Up 00:03:16 --38324 Kbytes
    • Dbspaces
    • address   number flags             fchunk nchunks pgsize flags      owner     name
    • 4484f028 1             0x1               1          1              2048    N  BA     informix  rootdbs
    • 4484fdd0 2             0x10000001 2          1              2048    N  BAE   informix jcdbs
    • 2 active, 2047 maximum

    • Chunks
    • Address   chunk/dbs  offset        size       free                bpages flags      pathname
    • 4484f268  1         1       0           100000  35118              PO-B--   /work3/JC/rootchunk
    • 44958450 2         2       0           5000      3209                PO-B--   /work3/JC/chunk2
    • 2 active, 32766 maximum




                        Comments

                        Post a Comment

                        Popular posts from this blog

                        InfoSphere CDC (ISCDC) - FAQ

                        1. What is Latency in Change Data Capture? Latency information is normally for Mirroring subscription. As InfoSphere CDC measures latency as the amount of time that passes between when data changes on a source table and when it changes on the target table. For example, if an application inserts a row into the source table at 10:00 and CDC applies that row to the target able at 10:15, then the latency for the subscription is 15 minutes. 2. What is in-scope and out-of-scope tables in InfoSphere CDC terminology? The tables are inscope tables if they are replicated to the target by InfoSphere CDC. The tables are out-of-scope when those tables are not part of any replication. 3. How to ignore error that occurs during refresh/mirrorring? Prior 6.3 D_MIRROR_REFRESH_ERROR_STOP=OFF - refresh continues after an error has occurred. D_MIRROR_MIRROR_ERROR_STOP=OFF - mirroring continues after an error has occurred. Post 6.3 Set the following 2 system parameters via Management Console. mirror_end...
                        Read more

                        HCL Informix 14.10 - onkstore utility - Remote Key Store

                        Read my blog on Encryption At Rest (EAR) before this article HCL Informix 14.10 has come up with a new utility called onkstore to generate the keystore (.p12) and stash file (.sth) for types such as local AWS_EAR AWS_BAR Type: local This is provided to store the .p12 and .sth files locally and to have our backward compatibilty with earlier versions which were storing these files locally. These files were essential to perform the encryption of the data and eventually decrypt them when needed. No connectivity to the external AWS site is needed to perform this however since the encryption key files are saved locally on the disk, there is a danger of loosing them and hence loosing the encrypted data that remains encrypted for ever and no way to decrypt them Type: AWS_EAR In order to avoid loosing of the encryption key, we have a new type called AWS_EAR to make sure the encryption key is saved safely and remotely so that can be accessed from amazon web-services, w...
                        Read more