Which statement regarding setting up a local keystore for DB2 native encryption is TRUE?
Which statement regarding setting up a local keystore for DB2 native encryption is TRUE?
A local keystore is not needed if a Hardware Security Module (HSM) is used to manage master keys. DB2 supports the use of Hardware Security Modules (HSM) which follow the PKCS #11 standard for managing master keys. If an HSM is used, it serves as the keystore, making a local keystore unnecessary in this context.
Wondering why answer is not A? A master key needs to be stored in Keystore but a keystore can be local or a supported third party keystore. Keystores supported by Db2 includes Hardware Security Modules (HSM) that use the PKCS #11 API. https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0070381.html
The correct answer is "C. A master key must be generated and placed in an existing local keystore before a new encrypted database will be created. " - Db2 native encryption uses a two-tier approach to data encryption. Data is encrypted with a Data Encryption Key (DEK), which is in turn encrypted with a Master Key (MK). The encrypted DEK is stored with the data while the MK is stored in a keystore external to Db2. A master key (MK) is an encryption key that is used to encrypt a data encryption key (DEK). Each encrypted database is associated with one master key at one time. Unless directed otherwise, Db2 generates an MK automatically during these operations: - Database creation - Master key rotation - Restoring into a new database Reference : https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0070381.html