Skip to Content

Key data set management

The security of the encrypted BMC AMI Copy image copies and the ability of authorized individuals to recover Db2 spaces using these image copies depends on the careful management of the key data set.

We recommend that you develop a simple and well-documented mechanism to manage key data sets.

Related topics

Key-data-set

Requirements-for-encryption

We also recommend that you maintain one key data set shared by all systems with access to the data set. Multiple distinct key data sets create difficulty with key data set management because you must ensure that the key data set that is used to encrypt an image copy is also used for recovery with that encrypted image copy.

Consider all of the following items as you manage your key data set:

  • Protect the key data set on the local system and duplicates on remote systems against unauthorized access.

    Most attempts to access encrypted data occur as unauthorized access to the key data set. You should protect the key data set against unauthorized access during shipping with either a secret key or public-key encryption. If the key data set is not encrypted during shipping, it should never be shipped under the same cover as the encrypted image copies.

  • If you plan to use encrypted image copies at your disaster recovery site, be sure that the processor at the site supports encryption.

    Remote disaster recovery sites might require a duplicate key data set for recovery purposes.

  • Because the timestamps that are used for recovery are taken from the BMCXCOPY table, a change in time zones between the site where BMC AMI Copy made the encrypted image copies were and the disaster recovery site will not affect recovery.

    The possibility exists, however, that a time zone change might invalidate a key data set for creating image copies at the remote site. If this is the case, you will need a new key data set with local times for generating encrypted image copies at the remote site.

  • Limit updating of the key data set to authorized individuals.

    Generating a new current key by inserting a new first row in the key data set limits the amount of data exposed if the current key is compromised. Do not modify existing rows in the key data set because image copies might exist that will require the keys for recovery. It is important that duplicate key data sets on remote systems also contain this new row, and that backups of the key data set be immediately created on all systems.

  • After image copies encrypted by a key are no longer referenced in the local and remote BMCXCOPY tables, the key is no longer needed by BMC AMI Copy, BMC AMI Recover, or BMC AMI Log Master and you can eliminate the key.

    Key destruction steps are:

    1. Delete backups of the current key data set on both the local and remote systems.

    2. Remove the row containing the key from the local key data set and duplicate key data sets on remote systems.

      Never remove a row from the key data set unless it is the last row in the data set.

    3. Create backups of the new key data set on the local and remote systems.

If a key data set is lost or corrupted and not recoverable, you can gain emergency access to the current key data set with a technique called key escrow. After you have created or updated a key data set, the contents are divided into two or more partial key data sets so that no one data set is sufficient to decrypt an image copy. Each partial key data set is sent to a different trusted agent. In the event of an emergency, you can retrieve and reassemble the partial data sets.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Copy for Db2 13.1