Simple container-based Minio deployment for Db2

MinIO console with Db2-generated files

You probably have read that I am testing Db2 external tables and remote storage. External tables are data files stored outside the database itself, either in the local file system or on (typically) S3-compatible object storage. To be able to test everything locally, even without Internet connectivity while traveling, I installed and configured MinIO. Here are the few steps to get it up and running as a Docker/podman deployment.

Cloud Security: BYOK vs. KYOK explained

Keep and bring your own key

When talking about cloud security and key management systems (KMS) for data encryption, we often hear the terms BYOK and KYOK. But what do they mean and what is the difference? Let me try to explain in this quick write-up. BYOK stands for "bring your own key" and refers to the ability to import an existing - your own - encryption root key into a (cloud-based) key management system.

Cloud-based HSM with PKCS #11 for Db2 Native Encryption

Manage your encryption keys

When using Db2 databases, there are a different ways to encrypt the stored data (data at rest). One of them is to use the built-in feature, Db2 native encryption. It supports three kinds of keystores, a local keystore file or centralized key management systems (KMS) based on KMIP or PKCS #11 protocols.

Today, I want to point you to a tutorial in the IBM Cloud documentation. It discusses using Hyper Protect Crypto Services PKCS #11 for Db2 native encryption.

Use Chromium-based browsers to manage FIDO security keys

Add fingerprint to FIDO key

Recently, I made a discovery that simplified how I manage my FIDO security keys. Instead of using a vendor tool to set a PIN or add fingerprints, I now switched to utilizing a Chrome- / Chromium-based browser for the administration. This works well on my Linux box. In this blog post, I am going to detail some of the features available.

Control your database encryption keys for Db2 on Cloud

Db2 master key managed by IBM Cloud Key Protect

Since Db2 10.5 I have blogged a couple of times about the native database encryption built into Db2. Today, I want to show you how easy it is to take control of the database encryption keys for Db2 on Cloud. All Db2 database on IBM Cloud are encrypted by default, but with a system encryption key. You can increase data security even further by using your own encryption key (BYOK - bring your own key). Want to know how? Read on...

Using your FIDO2 key for 2FA on IBM Cloud apps

Architecture: End-to-end security

Last week I read the blog on how to protect cloud apps with App ID by using the IBM Cloud Identity user directory. That blog discusses how to configure IBM Cloud Identity as SAML-based identity source for IBM Cloud App ID. Because Cloud Identity supports FIDO2 devices for second factor authentication (2FA) as beta feature, I wanted to test how easy it is to use my USB FIDO2 devices for securing my web apps. For that purpose I picked the app from the solution tutorial discussing end-to-end security for an application on IBM Cloud. App ID is part of the solution architecture (see the diagram).

Use a Delivery Pipeline to rotate credentials

Job in Delivery Pipeline to rotate keys

In my recent posts I touched on updating credentials for solutions deployed on IBM Cloud Functions or using Cloud Foundry on IBM Cloud. Today, I am showing you how to rotate API keys and passwords for a containerized solution on IBM Kubernetes Service that makes use of a delivery pipeline (devops). I am going to use the app discussed in the tutorial on how to apply end to end security to a cloud application.

Cloud-based FIPS 140-2 Level 4 crypto service

Locks, keys, and data security

Yesterday, I got my hands on a FIPS 140-2 Level 4 cloud-based crypto service. If you are asking "what's that and what can I do with it?" you should continue to read. It is a dedicated HSM (Hardware Security Module) to manage encryption keys and offered as IBM Hyper Protect Crypto Services on IBM Cloud (HPCS). Here is what I learned while using the service.

Enterprise digitalization and cybersecurity: How companies struggle

Cybersecurity Workshop at Zeppelin University

Last Friday, 25.01.2019, I attended the Cybersecurity workshop of the "Bodensee Innovationscluster Digitaler Wandel" (digitalization). The innovation cluster is organized by the Zeppelin University in Friedrichshafen. It tries to bring together companies from the wider Lake Constance region that are impacted by digitalization. The researchers have identified four topics that will be addressed:

Use a custom domain, manage TLS certificates and apply e2e security to cloud app

End to end security for a cloud app on IBM Cloud

Well, that title is a little bit long and ugly, but it basically describes what I wanted to tell you about today. A while ago, I blogged that my team published a tutorial "Apply end to end security to a cloud application". It demonstrates how to use secure network traffic (data in transit), cloud object storage (data at rest), and the app itself by access control (authentication). The app runs on the IBM Cloud Kubernetes Service (IKS). By default, the app is exposed on an IBM Cloud-supplied hostname and domain. I updated the tutorial to show how to use a custom domain and deploy a TLS certificate managed by the IBM Cloud Certificate Manager.

BYOK to encrypt Kubernetes secrets on IBM Cloud

Add Key Protect

Few days ago, it was announced that IBM Cloud Key Protect integrates with the Kubernetes Service. It means that cluster secrets such as service credentials, TLS certificate information and other confidential information can be encrypted using a managed root key. That root key is either generated or can be imported (bring your own key, BYOK). What needs to be done to wrap this additional layer of security around your cluster? Read on.

Tutorial on how to apply end to end security to a cloud application

Before you head out to the weekend I wanted to point you to a new cloud security tutorial. If you read this at the beginning of your week: What a great start... ;-)

Did you ever wonder how different security services work together to secure a cloud application? In the new tutorial we use

• IBM Cloud Activity Tracker to log all security-related events. This includes logging in to the account, provisioning or deleting services, working with encryption keys and more.
• IBM Cloud Key Protect to manage encryption keys. For the tutorial, we generate a root key for envelope encryption of stored files. You could also import your own root key (bring your own key, BYOK). We use the root key to create encrypted buckets in the IBM Cloud Object Storage service.
• IBM Cloud Object Storage (COS) service to produce expiring links to individual files. The links can be shared with others and expire after the set amount of time, so that the file cannot be accessed thereafter.
• IBM Cloud App ID as a wrapper around (enterprise and social) Identity Providers to manage authentication and authorization through a single interface. The App ID service can be directly integrated with Kubernetes Ingress.
• IBM Cloud Container Registry as a private image registry from which we deploy the application as container into a Kubernetes cluster (IBM Cloud Kubernetes Service). The container registry includes a Vulnerability Advisors that scans for and assesses container vulnerability and then recommends fixes.

Best of all, the code for the security tutorial is shared on GitHub in this repository. If you are in a hurry, it even allows you to deploy the full Node.js in Docker application and its services with the press of a button via toolchain.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

How to: Enable Let's Encrypt SSL wildcard certificates for your IBM Cloud apps

Private data - secured

Early last year, I wrote about how to improve security for your custom domains on IBM Cloud. I pointed out that I was using the bluemix-letsencrypt wrapper for Cloud Foundry app to generate and retrieve SSL certificates issued by Let's Encrypt. Today, I am going to introduce you to another option which I am using. Recently, Let's Encrypt announced the support and availability of wildcard certificates. With such a wildcard certificate, all of my IBM Cloud apps available under a custom domain are covered (and secured). So let's take a look at what I did.

Introduction to Cloud App Security - Part 1

Security for Cloud Apps

Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post about “Securing Workloads on the IBM Cloud” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.

Note that this is part 1 of 2. Part 2 is linked at the bottom.

Introduction to Cloud App Security - Part 2

(This is a continuation from part 1 of this introduction to Cloud App Security.)
Providing a secure app or application is a fundamental requirement. This is especially true in a cloud environment. In my post about “Securing Workloads on the IBM Cloud” I discussed the various layers that realize secure cloud computing. Today, I want to focus solely on apps that are built for deployment in the IBM Cloud. What makes up a secure app? What cloud services help establishing app security? Let’s take a look together.

App Security Services

To focus on the application logic, the functionality and business side, developers can delegate or “outsource” some of security tasks. Here is a non-exhaustive list of services that the IBM Cloud with the Bluemix platform provides. I am going to use the list of security topics from above:

DB2 Easter Egg Quiz - Kind of

Are you ready for a new DB2 quiz? Here is a tricky question for you. It is about DB2 security, it is (kind of) hardware-related and deals with a relatively new DB2 feature. Curious...?

The following shows the output of a DB2 tool, shipped with your regular DB2 LUW these days:

Keystore Password:
Password successfully stashed to db2_pkcs11_pwd.sth
 
xxxxx completed sucessfully.


Have a clue? (The "xxxxx" is replacing the name of the db2 tool). If you know the answer, comment and also paste the link to the page in DB2 Knowledge Center describing that tool. I will publish the comments in the next few days.

Securing Workloads on IBM Cloud - Some Resources

Security Guides for IBM Cloud

Recently, I provided you with an overview of security and compliance resouces for IBM dashDB and Cloudant. Today, I want to take a broader view and point you to some good introductory material on security for cloud-based workloads. It consists of an overview of different cloud deployment models and their components. Then it digs into each of those categories and takes a look at how to secure those components and the data.

DB2 Encryption: Some rotation before the weekend

Some bits on encryption...

Some while ago I wrote about DB2 encryption and how to rotate the master key. Well, today I rotated the master key again and looked at the metadata before and after the key rotation. I started with an encrypted database that I created some months ago.

The first step was to obtain the encryption information, i.e., metadata about the encrypted database. This can be done in two ways: Either using the utility db2pd or by calling the table function ADMIN_GET_ENCRYPTION_INFO.

Dealing with DB2 Security and my Stupidity...

Today I wanted to test some options around encrypting DB2 backups and restoring encrypted database backups. I can report that the security features work, only my stupidity (or call it "vacation readiness") caused some delays.

In my previous blog entries I already showed you how to create an encrypted DB2 database using the new "native encryption" and how to rotate the master keys using built-in procedures. Next in my list to test was taking an encrypted database backup. It is pretty straight-forward, just call BACKUP DATABASE and add the ENCRYPT option:

[henrik@mymachine]$ db2 backup database enc1 encrypt

Backup successful. The timestamp for this backup image is : 20150504135739

Boss, I rotated the keys! (DB2 database encryption)

In my previous entry I wrote about how I created an encrypted database. Today, I am showing you how I rotated one of the keys used for the DB2 native encryption.

The key to security (Evan-Amos via Wikipedia)

DB2 uses a two tier approach for encrypting the data. A so-called Data Encryption Key (DEK) is the one actually taken as input for the encryption algorithm. To prevent others from accessing and seeing the DEK, a second layer is added and the so-called Master Key (MK) comes into play. The MK is used to encrypt the DEK. The encrypted DEK is stored inside the database, the MK outside of it and there are options for how to handle it. Walid has details about the encryption keys and the overall architecture in his blog.

Because the Master Key is stored outside of the database and is the one that needs to provided when starting up DB2, it is a good time to change it from time to time. Many companies actually have security policies that require periodical change of passwords. That is the moment to use the new DB2 administrative procedure ADMIN_ROTATE_MASTER_KEY. If you went with the option of DB2 generating the MK for you (I did for simplicity), then you only have to call the procedure and be done:


db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)"

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20

  Return Status = 0

The call generates a new master key and associated label and then re-encrypts the Data Encryption Key with the new MK. If you provided a Master Key and label during the setup yourself, then you have to change the MK first and then call the procedure with the label as parameter.

Of course, if you noted down that generic label that DB2 generated for you, then you could use it as input. It would use the stored Master Key to re-encrypt the DEK. It would not change any password in that case. So be careful!


db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY ('DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20')"

  Value of output parameters
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_hloeser_ENC1_2015-01-22-12.01.20

  Return Status = 0