Configuring Encryption in IBM Informix

Configuring Encryption in IBM Informix can be a little tricky.

To configure encryption in IBM Informix with an external key manager, you can follow these steps:

1. Set up the external key manager: You need to configure it first, as it will be used to manage the encryption keys. The key manager can be any third-party key management system that supports the Key Management Interoperability Protocol (KMIP) standard.
2. Generate encryption keys: You can generate encryption keys using the key manager or existing ones.
3. Configure Informix for encryption: You need to configure Informix to use the external key manager and the encryption keys. This can be done by setting the appropriate configuration parameters in the Informix configuration file (onconfig) or by using the onmode command.
4. Enable encryption on Informix objects: You can enable encryption on various Informix objects such as tables, indexes, and blobs. This can be done using the ENCRYPTED keyword in the CREATE TABLE or CREATE INDEX statements.
5. Test the encryption: Once encryption is configured, you can test it by inserting data into encrypted tables and retrieving it.

Here are some example configuration parameters that you can set in the onconfig file:

KMF_PLUGIN_PATH /path/to/keymanager/plugin
KMF_PLUGIN_OPTIONS "option1=value1,option2=value2"
ENCRYPT_MODE DBSERVER
ENCRYPT_KMIP_SERVERS "kmipserver1:5696,kmipserver2:5696"
ENCRYPT_KMIP_TRANSPORT "TLSv1.2"
ENCRYPT_KMIP_CLIENT_CERT "/path/to/client/cert.pem"
ENCRYPT_KMIP_CLIENT_KEY "/path/to/client/key.pem"

To configure, run the below command.

onkstore -create -file 'KMIP Key Server Name' -cipher aes256

This will prompt multiple options on the type of Key.

1. Local KeyStore
2. AWS EAR Keystore
3. AWS BAR Keystore
4. KMIP EAR Keystore
5. AZURE EAR Keystore
6. AZURE BAR Keystore

Verify the KMIP is updated.

onkstore -file 'KMIP Server Name' -verify