The onkstore Utility

Use the onkstore utility to create and manage keystore files for use with storage space encryption. When this feature has been enabled for an instance, the server uses a keystore file to retrieve an encryption key during startup. It is not possible to enable or use the storage space encryption feature without a keystore file.

The onkstore utility will create a keystore file in the $INFORMIXDIR/etc directory by default, but this file may be created and used from any location accessible by the database server as long as that directory has secure permissions.

With its informix/informix ownership and 600 permissions, the keystore file can be read only by users root or informix. In addition the file is itself encrypted using a password. The admin can specify the password when creating the keystore file or allow onkstore to generate a random one. In either case, by default that password will be stored (as a hash value) in a stash file along side the keystore file. Do not remove the stash file or allow it to be separated from the keystore file unless the password is known. In that case the password may be supplied interactively to oninit and utilities such as oncheck, onlog, ontape, or onbar.

The onkstore utility can create different types of keystore files. A local keystore file contains an encryption key that is used as a “seed” by the server to encrypt storage spaces. An AWS_EAR keystore file does not contain an encryption key. Instead it contains credentials that allow the server to access an encryption key stored off-site, in an Amazon Web Services account.

The onkstore utility has the following usage:

Table 1. onkstore usage
-file <fn> name of keystore to operate on.

type of keystore to create :local, AWS_EAR, AWS_BAR, KMIP_EAR, KMIP_BAR

-list list the contents of the file.

cipher the server will use: aes128, aes192, aes256

-credential <fn> file that contains credentials in json format.
-pw [<fn>]

Current password for the keystore, supplied either interactively or in a file.

-verify verify the keystore.
-convert convert keystore from one type to another.
-changepw [<fn>] change the password for the keystore.
-help print this message.
Note: -pw is not needed if your password is stashed.
Use the onkstore utility to perform the following tasks:

Copyright© 2019 HCL Technologies Limited