Businesses that handle huge data are facing the security challenges and the data owners are looking for the ways to keep the data secure. The data encryption is one such way that helps you to keep your data secured through encryption mechanism.
The term “encryption” refers to the conversion of data into a secure format and is made accessible only to authorized users using a decryption key.
Transparent Data Encryption (TDE) is an industry methodology that encrypts the data at file level and helps stored files to be resistant to access by an unauthorized user.
TDE helps you to implement compliance with security standards with effective encryption and protection for database but the data which is in use or transit cannot be protected by TDE.
IBM implemented the encryption feature at low-level access mechanism such as media manager. The mechanism is that an encryption exploits a hardware instruction which is executed in a crypto processor attached to it, to minimize the cost of the instruction. The encryption and decryption are almost transparent to db2 as they are done at I/O time. The data is available in the clear in the buffer pool and SQL sees only decrypted data because the encryption is implemented at the I/O routines.
Methods of Enabling Encryption
IBM Z/OS allows three methods of enabling encryption.
In a RACF dataset profile
RACF® controls data set access by identifying authorized users and by preventing unauthorized users from accessing data. RACF determines whether a user is authorized to access the dataset by using the information in a data set profile.
As an attribute of the dataset
Encrypting the attribute enables enabling encrypting every entry in the database. The attribute encryption feature helps in preventing users from accessing sensitive from the database.
As an attribute in a SMS DATACLAS
You can encrypt the data set by defining the data set as SMS-managed extended format data sets included with a key label.
A Key to Encrypt and Decrypt the Data
The key to encrypt or decrypt the data is system generated which is actually stored in Cryptographic Key Data Set (CKDS). Users can access the key through the key label and a 64-bit value is used to access the actual key. RACF or equivalent authorization is required to access the key label. So, if you want to access an encrypted file, you should be authorized for the key label and the dataset.
So, with the help of transparent data encryption methods, you can secure your data in Db2 at file level.