Information
Key rotation refers to the process of changing encryption keys and is often required for compliance purposes. Similar to a password change, key rotation is done to reduce the risk that can come from exposure of the key, while it exists. Since the DEK used by Db2 for encryption is never outside of the encrypted database, backup, or transaction log, there is little risk of exposure. The same is not true for the MK, which lives outside of the database.
The rotation of the MK does not affect the encryption of the DEK within existing backups or archived transaction logs.
The master key (MK) should be rotated based on the frequency needed for compliance. Rotating MK requires decrypting any DEK encrypted with the old MK and then re-encrypting it with the new MK. The data is encrypted with a DEK and does not get re-encrypted.
Rationale:
Consider rotating the MK as being similar to changing passwords every X number of days. You may also have external requirements to rotate the MK after a certain period of time.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
The SYSPROC.ADMIN_ROTATE_MASTER_KEY procedure can be used to change the database key to comply with key rotation requirement. You must be connected to the database to run this command.
db2 => CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY('newMasterKeyLabel')
Db2 will automatically generate the new MK and label unless you provide a MK label for an existing MK. Key rotation is logged in the db2diag.log file:
$ grep -A 3 'Key Rotation' ~/sqllib/db2dump/db2diag.log
Key Rotation successful using label:
DATA #2 : String, 46 bytes
DB2_SYSGEN_db2inst1_SECRET_2021-04-29-11.22.01
The DEK is not externalized and does not need to be rotated. However, if you wish to rotate the DEK you can take an offline backup and restore to a new encrypted database, thus generating a new DEK.