It's worth pointing out that so-called "clear key" encryption is what every other standard server does with the keys. Except on a mainframe you have key-protected memory (and accelerators), so it's a lot harder for another task to grab that key. I'd prefer a different term for "clear key" on mainframes -- maybe "privileged key" -- but there it is.
"Secure key" is fairly exotic stuff, but mainframes offer it if you need it. The private keys never appear in memory: they are tucked away inside the special tamper-proof cryptographic coprocessor cards. That also means extra I/O out to those cards for crypto processing, so it's not something you want to do unless you really "need" it. The comment downthread is quite astute, that DR planning must take into account private key preservation and recovery. If you lose the key(s) you've lost the data. Fortunately ICSF (the z/OS key management facility and crypto API set) has a multi-year track record of keeping those keys safe. With a little bit of planning this stuff really works, even in a DR situation. - - - - - Timothy F. Sipples Consulting Enterprise Software Architect IBM Americas zSeries/z9 Software E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
