View Only
  • 1.  Encryption and restore

    Posted Tue September 19, 2023 10:58 AM

    Hi folks,

    • Informix 12.10.FC15
    • AIX
    • Using raw devices

    I'm seting up encryption and came up with a doubt/question

    1. Intialized an instance
    2. Backed up and restored with encrypt option ( ontape -p -encrypt)
    3. Created dbspaces ( took so long )
    4. Created database and imported data
    5. Backed up and restore (ontape -p )


    1. In step 5 above, when I kicked of ontape -p, it asked me to remove the key files. It looks like each restore counts as an attempt to do the encryption. Is this right? I was expecting to use the same keys that I created on step 2 and just do a quick backup/restore but it wasn't the case or I'm missing something.
    2. While I deliberately truncated almost all tables, still the step 3 and step 5 took a long long time. It looks likle the encryption is going through the whole disk even it's an empty dbspaces?

    Ali Shahnazi

  • 2.  RE: Encryption and restore

    Posted Wed September 20, 2023 03:03 AM

    Hi Ali,

    It was a very long time since I lastly worked with Informix, but if I remember it correctly, there is a setting in the $ONCONFIG, DISK_ENCRYPTION .. something to cover encryptions in the database.

    Backup / Restore has a flag ontape -r -encrypt

    If you want to store this directly on a on-premise storage, sharing same storage with other servers, than Spictera Unified Storage can be a great help.

    One can send the backup to a VTL on the Spictera Unified Storage, or to a object-storage/bucket/s3, or mount the storage as a file-system mount point.

    The storage is immutable, once the backup is written, it can't be changed/removed. A changed backup is equally to a new version of the same file/object.

    This storage works for Any Device, Anywhere using Any Media. Possible to choose media according to defined policies whether it is Disk, CD, Tape, Cloud, NAS...


    # mount -t spfs /backup

    Regards Tomas

    Tomas Dalebjörk

  • 3.  RE: Encryption and restore

    IBM Champion
    Posted Fri September 22, 2023 08:40 AM

    Hi Ali,

    I'd assume the duration of your step 3 is due to chunk clearing, i.e. chunks would be zeroed out over their full size - for obvious security reasons (after all encryption is all about security.)

    For testing purposes, or if you think there's nothing worth of being wiped out in those chunks before they become part of your Informix instance, this clearing can be suppressed.  There used to be a separate onconfig parameter CLEAR_CHK_B4_ENCRYPT for this, but this recently (also in your 12.10.FC15) got bunched together with a set of other parameters, into new KERNEL_CTRL bitfield parameter (s. "onstat -g cfg full KERNEL_CTRL").
    To turn on this suppression, or rather to turn of that clearing, you'd have to turn off the respective bit (0x00010) in this parameter's value, i.e. you take the current value (typically the default value, e.g. 0x30b5) remove the 0x10 (turning it to 0x30a5) and use this new value in your onconfig before starting your test.

    To your questions:

    1. yes, in the backup everything would reside un-encrypted, and wherever this gets restored (new or original environment), it will newly encrypt.
      In Version 12 encryption will automatically create new (!) encryption keys each time (phys. restore or oninit -i) and force you to remove old ones.
      In Version 14, though, you'll be forced to provide a key up front, using onkstore utility, so there a pre-existing key would be re-used, afaik.
    2. try what I've described above



    Andreas Legner

  • 4.  RE: Encryption and restore

    Posted Fri September 22, 2023 10:28 PM

    Thanks  @Tomas.
    Thanks @Andreas. What you said, making sense to me. In my next attempt, I'll try that and update here for future references.

    Ali Shahnazi

  • 5.  RE: Encryption and restore

    Posted Tue October 03, 2023 08:36 AM

    Thanks again @Andreas.
    Confirming that your trick worked.
    2 points to share if anyone reached here :)
    1 - KERNEL_CTRL is an undocumented feature ( onstat -g cfg full KERNEL_CTRL)
    2 - If you are combining encryption, redirect restore and STDIO, the order of the parameters in the 12.10 manual is not working. 
    # nohup ontape -p -rename -f <filename> -encrypt -t STDIO < backupfile &

    Ali Shahnazi