8.2.1 Encrypt the Database

Information

Encrypting the database will protect your data and may be required for compliance with certain government regulations (e.g. NIST).

Rationale:

A malicious user can steal physical media like the hard drive, and restore the database and browse the data. To prevent access to the data at rest, encrypt sensitive data in a database and use an encryption key that encrypt the data. This prevents anyone without the keys from using the data.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To determine if a database is encrypted you should check the Encrypted database database configuration parameter:

db2 => get db cfg | grep -i encrypt

Encryption Library for Backup (ENCRLIB) = libdb2encr.so
Encryption Options for Backup (ENCROPTS) = CIPHER=AES:MODE=CBC:KEY LENGTH=256
Encrypted database = YES

You should see that the encrypted database is set to YES.

You should check the type of key manger used by checking dbm configuration:

db2 => get dbm cfg | grep -i keystore

Keystore type (KEYSTORE_TYPE) = KMIP
Keystore location (KEYSTORE_LOCATION) = /path/ekeystore.cfg

You can also check the current database encryption settings:

db2 => SELECT * FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

You must be connected to the database to run this command. The following information will be shown for the connected database:

OBJECT_NAME

OBJECT_TYPE

ALGORITHM

ALGORITHM_MODE

KEY_LENGTH

MASTER_KEY_LABEL KEYSTORE_NAME KEYSTORE_TYPE

KEYSTORE_HOST KEYSTORE_IP

KEYSTORE_IP_TYPE

PREVIOUS_MASTER_KEY_LABEL AUTH_ID

APPL_ID

ROTATION_TIME

This information should be filled in for an encrypted database.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: IBM_DB2DB

Control ID: 0b59a9bab3ba092996bda4410553759a2d011d13e81ccaf23472e3cd9dd38553