DISK_ENCRYPTION configuration parameter

The DISK_ENCRYPTION configuration parameter controls the encryption of storage spaces.

onconfig.std value
Not set. Storage space encryption is disabled.
values
See Usage section.
takes effect
After you edit your onconfig file and restart the database server.

Usage

Use the DISK_ENCRYPTION configuration parameter to enable storage space encryption, set the name of the encryption file names, and specify the encryption cipher. Any storage spaces that you create after you set the DISK_ENCRYPTION configuration parameter are encrypted by default. Storage spaces that you created before you set the DISK_ENCRYPTION configuration parameter are not automatically encrypted. When storage space encryption is enabled, you can restore a storage space as encrypted or unencrypted, regardless of whether the space was encrypted at the time of the back up.

Figure 1: Syntax for the DISK_ENCRYPTION configuration parameter

1  DISK_ENCRYPTION keystore = keystore_name?  , cipher =
2.1 aes128
2.1 aes192
2.1 aes256?  , rollfwd_create_dbs =
2.1 encrypt
2.1 decrypt
Table 1. Options for the DISK_ENCRYPTION configuration parameter value
Field Value
keystore The keystore specifies the name of the keystore and stash file names. The files are created in the ONEDB_HOME/etc directory:
  • keystore.p12 = The keystore file that contains the security certificates.
  • keystore.sth = The stash file that contains the encryption password.

You must manually back up the keystore and password stash files. These files are not backed up when you run a back up with the ON-Bar utility.

cipher Specifies the encryption cipher:
  • aes128 = Default. Advanced Encryption Standard cipher with 128-bit keys.
  • aes192 = Advanced Encryption Standard cipher with 192-bit keys.
  • aes256 = Advanced Encryption Standard cipher with 256-bit keys.
rollfwd_create_dbs Specifies whether to encrypt a storage space that is created by the rolling forward of the logical log during a restore:
  • encrypt = Encrypt the newly created storage space
  • decrypt = Do not encrypt the newly created storage space

By default, storage spaces that are created by the rolling forward of the logical log have the same encryption state as the original storage space.