On second thought, I agree - I was out of scope. Sorry, Mike. Like you, I get *very* confused. This encryption business is a *lot* more complicated than this mere mortal can fully understand :-)
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S. Sent: Wednesday, April 19, 2006 2:54 PM To: [email protected] Subject: Re: ICSF I dare to disagree. 1. Master key is something out of scope. Indeed, it is used for encyphering data and transport (in fact all but master) keys, because the keys are stored in VSAM KSDS. The keys to be safe have to be encrypted. Encryption requires ...keys, but the only one. Master. This master key is kept in crypto-HW storage. Key is kept in clear form, but the storage is tamper-proof. However you don't need to know master key neither in your data centre, nor in DR centre. 2. crypto-H/W need not to be equally the same. Even if you secondary HW does not like your CKDS, you can still use the same crypto-API. What is needed is clear form of data key. Of course API fucntion used have to available in both centres (US: centers ?). In simpler words: your headache should be to have data key available in both locations, don't care about the master key. Disclaimer: I meant ICSF *only*. Do not extrapolate it for other cryptography systems. -- Radoslaw Skorupka Lodz, Poland Hal Merritt wrote: > Herea key, therea key, everywhere a key key, eieio* > > Don't forget to mention Master Keys. Products that use ICSF may also use > the key clusters as key repositories for the various types of keys. > Those clusters are encrypted using the Master key. > > So, part of a recovery plan would have to include setting the Master > keys on each LPAR of the target processor. Which assumes that your DR > processor has compatible crypto features installed and active. > > And, of course, the Master Key should not be transported in the open. > Some auditors insist that the Master key (even encrypted) be in parts, > one part per security officer (not the sysprog), and entered from a > secure point (such as a Trusted Key Entry device). > > It follows that you will need transporter(?) keys for the Master Key, > and, depending on your set up, key entry keys for your security > officers. > > Then, after your DR is complete, the crypto facility on the processor > has to be cleared. > > Head hurting? Yea, mine too ;-) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
