Create a Keystore with onkstore

A keystore file is required by any instance that has the storage space encryption feature enabled. This keystore file has a ".p12" extension. It may also have an associated password stash file whose extension is ".sth".

When referring to a keystore file with onkstore or in the value of the DISK_ENCRYPTION configuration parameter, always omit the “.p12" extension.

A keystore file that contains your instance’s encryption key is called a local keystore file. The simplest way to create a local keystore file is as follows:

onkstore -create -file my_keystore -type local -cipher aes128

The result of that command is a file located in the $INFORMIXDIR/etc directory called my_keystore.p12, which contains a 128-bit (16 byte) encryption key. That p12 file is encrypted using a password, which must be provided interactively when prompted for. By default, the password is stored in a stash file. The path to the stash file is $INFORMIXDIR/etc/my_keystore.sth.

To provide the new password on the command line when creating a new keystore, use these commands instead:


 echo "sample_password" > pw_file
 onkstore -file my_keystore -type local -cipher aes128 -pw pw_file
 rm pw_file

The password must be at least 8 characters long. In this case “sample_passwd" would also be stashed encrypted in $INFORMIXDIR/etc/my_keystore.sth.

As the encryption password is known, the admin has the option of removing the stash file and supplying the password to oninit manually each time the server is booted:

oninit -pw
Please enter current encryption password: sample_password

Instead of supplying the password interactively, it may be passed to oninit using a file:

touch /tmp/mypassword
chmod 660 /tmp/mypassword
echo “sample_password" > /tmp/mypassword
oninit -pw /tmp/mypassword
rm /tmp/mypassword

The keystore file will be located in $INFORMIXDIR/etc by default, but you can also move or create it elsewhere by specifying a full path (minus the .p12 extension):

onkstore -create -file /work/KEYSTORES/my_keystore -type local -cipher aes128

If your keystore file is not located in $INFORMIXDIR/etc you must use the full path in your DISK_ENCRYPTION setting:

DISK_ENCRYPTION keystore=/work/KEYSTORES/my_keystore

Like $INFORMIXDIR/etc, the directory containing your keystore file must have ownerships of informix/informix.

When creating a keystore file with onkstore you must specify which of the three supported ciphers you wish to use: aes128, aes192, and aes256. By default the server assumes you are using aes128, but if not, the admin must specify the cipher in the DISK_ENCRYPTION setting:

DISK_ENCRYPTION keystore=my_keystore,cipher=aes256

The DISK_ENCRYPTION setting consists of comma-separated attributes and may contain no quotes or spaces.

A keystore file that contains AWS (Amazon Web Services) credentials instead of an encryption key is called a remote keystore file. Run the following command to create a remote keystore file interactively:

onkstore -create -file my_aws_keystore -type AWS_EAR -cipher aes192

onkstore will then prompt you for AWS credentials and other information that will identify the key you want to either create or use. For example:

 $ onkstore -create -file my_aws_keystore -type AWS_EAR -cipher aes192
Creating AWS EAR Keystore
AWS Key Id
>AKCAIPP520LF4AJBOTXA
AWS Key Secret
>TCEmlasjdflkjbasNHFAI6BHOwj4XHe50ic7LCt9
AWS Region
>us-east-1
AWS CMK Id
>16fd15d9-db8b-4cb7-9d99-d3070df97b58
SSM Key Location
>/informix/keys/aes192/key1

This is not your actual encryption key. They are merely pieces of information that when put together allow the server to access a particular encryption key stored in AWS. If the terms “CMK Id" and “AWS Region" are not familiar to you, it is because you do not yet have an AWS account set up. Familiarity with an AWS account you are able to manage is a prerequisite for creating a remote keystore file using onkstore.

Rather than providing these details to onkstore interactively you have the option of feeding a json file to the utility instead:

onkstore -create -file my_ks -cipher aes192 -credential /tmp/my_creds.json

In this case the /tmp/my_creds.json file would contain something like this:

{
"Credentials" :
{
"Type" : "aws-ear",
"AWS Key Id" : "AKCAIPP520LF4AJBOTXA",
"AWS Key Secret" : "TCEmlasjdflkjbasNHFAI6BHOwj4XHe50ic7LCt9",
"AWS Region" : "us-east-1",
"AWS CMK Id" : "16fd15d9-db8b-4cb7-9d99-d3070df97b58",
"SSM Key Location" : "/informix/keys/aes192/key1"
}
}

If this command is run and the master encryption key does not exist in AWS at the specified location (/informix/keys/aes192/key1), onkstore will attempt to generate one and store it there. If the credentials point to an existing key, onkstore will create the keystore file and leave the key as-is.

The -pw argument works the same way with remote keystore file creation as it does with local keystore creation.

Do not use the AWS-BAR type when creating a keystore for use with the storage space encryption feature. This type of keystore is used with the Integrated Backup Encryption feature.