Abstract

We’ve discussed encrypting backups on Informix 11 and 12 using the BACKUP_FILTER and RESTORE_FILTER onconfig parameters in an earlier article.  While effective, this involved writing scripts, using external tools and managing encryption keys manually. Using the new onkstore utility (see technical article here), with Informix 14.10 Integrated Backup Encryption, ontape and onbar backups can now be encrypted and decrypted natively.

As before, there is obviously some risk here, as if the keys are lost it can render your backups essentially useless.  We therefore strongly recommend only using this with a cloud based key store, as this method uses envelope encryption to ensure your backups can always be restored.

Although we recommend using a cloud key store, for the purpose of this article, a local key will be used.  As above, we would not recommend doing so for a production system.  Read on to learn more about Informix 14.10 Integrated Backup Encryption:

Content

Informix 14.10 Integrated Backup Encryption is driven by two new onconfig parameters:

BAR_ENCRYPTION – This points to a key store (or key file) and lists the cipher to use

BAR_DECRYPTION – This parameter is optional, but can list a separate key store or file to use for decryption.  If not set, BAR_ENCRYPTION is used for decrypting.  No cipher is listed.

Despite the name, both ontape and onbar can use this parameter.  On a production system onkstore would be used to create a key store of type AWS_BAR (this is different to the keys generated for EAR).  The BAR_ENCRYPTION parameter may look something like this:

Copy to Clipboard

For this example though, we’re going to use a local key file.  As IBM don’t recommend this, it’s not even possible to generate a local BAR key file using onkstore; this needs to be done with external tools.  To generate a key 32 character (256-bit) key using openssl:

Copy to Clipboard

It’s important to note, this encryption key is NOT stored in the encryption envelope, and losing it will invalidate any backups created with it.  If you must use a local key, it is essential this key is backed up safely (somewhere not on the server).  Using the above local key, the BAR_ENCRYPTION parameter would look something like this:

Copy to Clipboard

Once set, the backup and restore utilities should now start using encryption.  e.g. an

ontape backup should display the message: “The backup volume will be encrypted”.  Please note that BACKUP_FILTER is still applied, and applied first, so if set to a compression utility, this may have little effect.

To restore on a different system using a local key file, the base64 file must be present, otherwise the restore will fail.  A successful ontape restore will start with the message: “The volume to restore is encrypted.”.

Caveats

You will need to have the IBM Global Security Kit (gskit) installed; version 8.0.55.9 was released with IDS 14.10.XC3.  Encryption will have some minor CPU overhead during backups and restore (bear this in mind if logical logs are completed frequently).  While onkstore removes some of the issues with key storage, we would still strongly recommend a copy of the encryption key is stored securely elsewhere off the server.  While cloud storage ensures your keys are safe, the cloud service must be available as and when the keys are required (i.e. when an archive is run, or logical log file completes and is backed up).  Although local key files are supported, the key used for encryption must be used to decrypt when restoring, adding a significant level of risk.

Conclusion

Encrypting your backups is as important as encrypting your data on the server.  While encrypting backups does add a level of complexity and risk to the process, the onkstore utility in combination with a cloud service does minimise this.

Disclaimer

Suggestions above are provided “as is” without warranty of any kind, either express or implied, including without limitation any implied warranties of condition, uninterrupted use, merchantability, fitness for a particular purpose, or non-infringement.

Contact us

If you have any questions regarding Informix 14.10 Integrated Backup Encryption or would like to find out more, simply contact us.

Author