The onkstore Utility
Use the onkstore utility to create and manage password stash files for use with storage space encryption and the integrated backup encryption features.
The onkstore utility will create a password stash file in the $INFORMIXDIR/etc directory by default, but this file may be created and used from any location accessible by the database server as long as that directory has secure permissions.
With its informix/informix ownership and 600 permissions, the password stash file can be read only by users root or informix in UNIX/Linux and the creator of the keystore in Windows. In addition, the file is itself encrypted using a password. The admin must specify this keystore password when creating the password stash file. By default that password will be stored (as an obfuscated value) in a stash file along side the password stash file. Do not remove the stash file or allow it to be separated from the password stash file. If you do not want the password to be stashed, use the option "-nostash" when creating the keystore. In that case the password may be supplied interactively to oninit and utilities such as oncheck, onlog, ontape, or onbar.
- A Master Encryption Key (MEK) that is used as a “seed? by the server to encrypt storage spaces when using it with the Storage Space Encryption feature.
- A set of credentials to access a Remote Key Server that stores the Master Encryption Key for the Storage Space Encryption (DISK_ENCRYPTION configuration parameter) or a set of credentials to access a Remote Key Server that stores the Remote Master Encryption Key used by the Integrated Backup Encryption feature (BAR_ENCRYPTION configuration parameter).
The onkstore utility has the following usage:
-file <fn> | name of keystore to create/list/convert. |
-type |
type of keystore to create: local, AWS-EAR, AWS-BAR, KMIP, AZURE-EAR, AZURE-BAR |
-create | create a new keystore. By default stash the password in a stash file. Use option "-nostash" if this is not desired. |
-pw <fn> |
file with cleartext keystore password. If not provided and the password is not stashed already, it is prompted for interactively. |
-list | list the contents of the file. |
-cipher |
cipher the server will use: aes128, aes192, aes256 |
-credential <fn> | file that contains credentials in json format. |
-pw [<fn>] |
Current password for the keystore, supplied either interactively or in a file. |
-verify | verify the keystore. |
-convert | convert keystore from one type to another. |
-changepw [<fn>] | change the password for the keystore. |
-nostash | upon creation of a keystore do not stash the password. |
-help | print this message. |