All commands shown below should be run as user “informix”.
For storage encryption, first make sure that the IBM Global Security Kit (GSKit) is set up. For example, the installer is present but not yet run in either of these free Docker images:
You can fix that with:
It doesn’t seem to cause any harm if the above is repeated unnecessarily. Note that the installed GSKit location varies with platform, for example:
Next, you need to add a line such as this to the $INFORMIXDIR/etc/$ONCONFIG file:
The exact line above is recommended which automatically handles multiple instances. For example, if the Informix server name is “test”, the following files will be created automatically in the same directory:
There are other options that can be appended, but none of them essential:
The default cipher is 128-bit AES.
If the above is in place before you first initialize an instance for the first time with “oninit -iv”, all dbspaces will be encrypted from the outset.
If you wish to encrypt all dbspaces for an existing instance, set up the above and then perform a level 0 archive, stop the instance, and restore it again specifying encryption. For example, using “ontape” with a directory in configuration parameter TAPEDEV, these are the necessary commands:
Note that, should you need to perform a cold restore of a previously encrypted instance, it will fail unless the key files are removed beforehand with:
Should you wish to have only some dbspaces encrypted, this can be achieved by using the “onspaces” command to create individual dbspaces with or without the “-u” (unencrypted) option, for example:
You can check which dbspaces are encrypted with “onstat -d”, which shows “E” in the “flags” column where applicable (whereas “E” would mean “expandable” in the second “Chunks” list):
Backup encryption is equally straightforward. This article assumes the use of “openssl” as it is the most portable tool, for example it’s available as standard on both Linux and AIX. The main alternative on Linux is “pgp”, but no binary installer exists at this time for AIX 7.
We first need to create a file in a secure location containing the encryption password on one line:
The contents entered with “vi” above could be 128 bytes randomly generated here:
Next, create a filter script with two names as follows:
The shell script contents entered with “vi” above could be as follows:
Finally, set configuration parameters to use the above automatically:
The new settings entered with “vi” above should be:
The solution above assumes that, as well as encryption, “gzip” compression is desired, as it often is.
On later versions of “openssl”, you may find the “-z” option is supported which similarly performs compression with the “zlib” library. This would reduce the number of processes and in theory make it possible to do without the shell script.
Otherwise, pipe symbols in BACKUP_FILTER or RESTORE_FILTER cause the operation to fail, even if quoted as documented, so there is no choice but to have a script. There are in any case other advantages, such as having the cipher details and password location defined once, and the latter not accessible to other users with “ps -f”.
On larger systems with many CPU cores, consider compiling and using the much faster multi-threaded implementation of “gzip” available here:
The cipher chosen in the filter script is 128-bit AES (the same as the DISK_ENCRYPTION default). It uses around 10% of the CPU used by “gzip” during a backup and 50% during a restore. You could go up to 256-bit with a modest performance penalty.