The onkstore Utility

Use the onkstore utility to create and manage password stash files for use with storage space encryption and the integrated backup encryption features.

The onkstore utility will create a password stash file in the $INFORMIXDIR/etc directory by default, but this file may be created and used from any location accessible by the database server as long as that directory has secure permissions.

With its informix/informix ownership and 600 permissions, the password stash file can be read only by users root or informix in UNIX/Linux and the creator of the keystore in Windows. In addition, the file is itself encrypted using a password. The admin must specify this keystore password when creating the keystore. By default that password will be stored (as an obfuscated value) in a stash file along side the keystore file. Do not remove the stash file or allow it to be separated from the keystore file. If you do not want the password to be stashed, use the option "-nostash" when creating the keystore. In that case the password may be supplied interactively to oninit and utilities such as oncheck, onlog, ontape, or onbar.

The onkstore utility can create different types of keystores. A keystore can contain either:
  1. A Master Encryption Key (MEK) that is used as a “seed” by the server to encrypt storage spaces when using the Storage Space Encryption feature.
  2. A set of credentials to access a Remote Key Server that stores the Master Encryption Key for the Storage Space Encryption (DISK_ENCRYPTION) or a set of credentials to access a Remote Key Server that stores the Remote Master Encryption Key used by the Integrated Backup Encryption feature ( BAR_ENCRYPTION).

The onkstore utility has the following usage:

Table 1. onkstore usage
-file <fn> name of keystore to create/list/convert.

type of keystore to create: local, AWS-EAR, AWS-BAR, KMIP, AZURE-EAR, AZURE-BAR

-create create a new keystore. By default stash the password in a stash file. Use option "-nostash" if this is not desired.
-pw <fn>

file with cleartext keystore password. If not provided and the password is not stashed already, it is prompted for interactively.

-list list the contents of the file.

cipher the server will use: aes128, aes192, aes256

-credential <fn> file that contains credentials in json format.
-verify verify the keystore.
-convert convert keystore from one type to another.
-changepw [<fn>] change the password for the keystore. <fn> is the file containing the new cleartext keystore password.
-nostash upon creation of a keystore do not stash the password.
-help print this message.
Note: -pw is not needed if your password is stashed.
Use the onkstore utility to perform the following tasks:

Copyright© 2020 HCL Technologies Limited