> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Rob Schramm > Sent: Wednesday, November 16, 2011 12:06 PM > To: [email protected] > Subject: Re: Data encrypt > > Seems like it would be something complicated... but it isn't. > > The requirement has already been met. Just do the coding normally for > a symmetric key that will be managed as a secure key with ICSF. Turn > on the RACF classes that change how the key is managed and moves it > into Protected Key... and viola... you are done! The system will wrap > it and move it into HSA. ICSF will do the work to use CPACF for the > encryption / decryption process.
Yes, but if I understand your point and the reading I've done in the links you sent earlier correctly, this path requires the availability of a crypto coprocessor to create the symmetric (secure) key in the first place. I was speaking of the case where no coprocessor at all is available, ONLY the CPACF instructions. You are not saying that this RACF profile can be created for a labeled clear key stored in the ICSF key store, are you? > Granted there is more overhead when you use ICSF than using the CPACF > instructions directly.. but overhead will be minimal in comparison... > still giving the caller a huge performance gain over typical Secure > Key. "Better than Secure Key" I can believe is true, based on the performance numbers in the IBM links you sent. But I would argue that the overhead of ICSF subroutines for clear key (or protected key) operations is NOT minimal by comparison with direct assembler KM/KMC implementations, but is quite large, especially for very high volume batch applications (at least from the testing I have done so far). Peter -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
