Skip to main content

PartnerWorld > Products > Systems, servers, and storage > Technical >

Protecting IBM i data with encryption

by Kent Milligan, Beth Hagemeister

Last updated: 2014-03-14

PDF iconDownload the white paper (581 KB)
Links to external URLGet Adobe® Reader®

Rate this article

© Copyright IBM Corporation, 2008. All Rights Reserved.
All trademarks or registered trademarks mentioned herein are the property of their respective holders.


This paper focuses on encrypting data at rest (primarily, data stored in IBM DB2 for i tables and physical files). It also discusses recommended practices for managing encryption keys.


On a regular basis, there are reports of personal data being stolen or compromised, so it is no surprise that consumers are demanding more in terms of data protection and privacy. Thus, there is also strong demand for encryption of data on the IBM® System i™ platform and on all other computers in the world.

Before pursuing new methods of data protection with encryption, it is important not to overlook the first step in securing IBM DB2® data: object-level security. Utilization of robust object-level security services provided by the IBM i operating system (formerly known as IBM i5/OS® and IBM OS/400®) is critical in protecting your DB2 data, regardless of the interface used for data access. With users requiring more data-access interfaces, System i shops cannot rely on menu-based security for controlling access to sensitive data. Object-level security prevents unauthorized users from accessing or changing sensitive company financial data (for example, earnings data).

Data encryption offers another protection layer around DB2 columns containing sensitive data. This extra security level is needed because object-level security cannot prevent authorized users (such as help-desk personnel) from viewing sensitive data. Nor can it prevent a hacker from reading sensitive data by using stolen credentials (ID and password). If sensitive data is stored in an encrypted format, then by default a binary string of encrypted data is always returned to all users. To view the actual data, the user needs authorization to access the DB2 object as well as the encryption key and decryption algorithm.