How and when does DB2 leverage hardware encryption support?

Question:

We are looking to move to DB2 Native Encryption for our DB2 pureScale implementation and we had some questions about the hardware acceleration support. We want to know what hardware acceleration is leveraged by DB2 Native Encryption, how we enable it, what code levels we need to be on, and how can we tell it is active?

 

Answer:

Whew, a lot of questions there! :) Let me try to tackle them one at a time..

 

What hardware acceleration is leveraged by DB2 Native Encryption?

DB2 Native Encryption relies on the embedded IBM Global Security Kit (GSKit) software product to recognize and leverage built-in hardware acceleration where possible. Here is the current list of hardware leveraged by GSKit on the different hardware platforms (as of DB2 10.5 FP9 and DB2 11.1).

 

Intel AES-NI

GSKit recognizes and leverages Intel AES-NI in FIPS certified mode. You can determine if your Intel CPU supports AES-NI by looking it up on Intel's ARK website.

 

Power8

GSKit recognizes and leverages the Power8 in-core support for the Advanced Encryption Standard (AES)  in FIPS certified mode. You need to be at DB2 10.5 FP9 or DB2 11.1 for this support.


z platform

GSKit recognizes and leverages zSeries CP-ACF for various AES modes and SHA hash.

 

How do you enable hardware acceleration use for DB2 Native Encryption?

Detection is automatic and there is no change required to use it. 

 

What code levels do we need to be on?

See my answer above but basically, Intel-AES hardware has been leveraged since Native Encryption was introduced in DB2 10.5 FP5 and Power8 support was introduced in DB2 10.5 FP9 and in DB2 11.1.

 

How can we tell when hardware acceleration is being used?

I am hurt that you don't trust us :)

You can validate whether GSkit is utilizing any hardware acceleration by starting up DB2 with diaglevel 4 and looking for this type of message in the db2daig.log:

2017-05-17-18.31.12.886251-240 I222557E618           LEVEL: Info
PID     : 30430                TID : 140378976020224 PROC : db2sysc
INSTANCE: gstager              NODE : 000            DB   : TESTDB
APPHDL  : 0-7
HOSTNAME: hotellnx113
EDUID   : 18                   EDUNAME: db2agent (TESTDB)
FUNCTION: DB2 Common, Cryptography, cryptContextRealInit, probe:1700
DATA #1 : String, 37 bytes
CPU flags(string): 0x1fbee3ffffebfbff
DATA #2 : String, 37 bytes
CPU flags(Uint64): 0x1FBEE3FFFFEBFBFF
DATA #3 : String, 32 bytes
Intel AES-NI capability detected
DATA #4 : String, 37 bytes
Intel RDrand capability not available

 You can see the text message "Intel AES-NI capability detected" above which tells you that GSKit has recognized and will use the Intel-AES hardware acceleration.

 

Unfortunately, it appears that we forgot to update this output when the Power8 support came in so until we get a fix in place, this is what you will see on Power8:

2017-06-26-07.24.45.288224+000 I39204702E574 LEVEL: Info
PID : 64566 TID : 17592597017008 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000
HOSTNAME: plnxntz01
EDUID : 11 EDUNAME: db2sysc 0
FUNCTION: DB2 Common, Cryptography, cryptContextRealInit, probe:1700
DATA #1 : String, 37 bytes
CPU flags(string): 0x000000000000000e
DATA #2 : String, 37 bytes
CPU flags(Uint64): 0x000000000000000E
DATA #3 : String, 37 bytes
Intel AES-NI capability not available
DATA #4 : String, 37 bytes
Intel RDrand capability not available

But don't despair! The key field is the one labeled CPU flags above:

CPU flags(Uint64): 0x000000000000000ECPU flags(Uint64): 0x000000000000000E


For Power8, as long as the 0x0000000000000008 bit is set in CPU Flags, then the Power8 hardware acceleration is in use. In the above example, it is indeed set (E = 8 + 4 + 2 + 1 bits set) so GSKit recognized and will use the Power8 hardware acceleration.

(We will get some human legible text in there as soon as we can so that you don't have to play with hex bits... unless you want to :)

 

Hope this helps,

 

Paul.

0 Comments
Recent Stories
Verson 3.0.4 of IBM Graphical WLM tool now available in developerWorks

A quick summary of available Db2 controls for system resources

Managing resource consumption for multiple databases under the same DB2 instance