Or more simply, if user X has the ability to read with decryption a particular encrypted dataset, then s/he can do anything s/he likes with it: download it to a PC, print it out, e-mail it, XMIT it, ...
It would be nice if XMIT had some sort of "hey wait a minute -- that dataset is/was encrypted" feature, but I think that enhancements to XMIT are unlikely at this point. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lennie Dymoke-Bradshaw Sent: Wednesday, September 1, 2021 9:20 AM To: [email protected] Subject: Re: Am I missing something when doing XMIT with an encrypted data set? Colin, Yes, you have found that it is easy to "de-classify" the data. This is why data set encryption requires careful design and understanding of the use of the data. Anyone copying encrypted data they have READ access to will potentially expose the data unless you take steps to avoid it. In your case, perhaps you should use a userid for which encryption is mandated for new data sets. Even so, you can create a clear copy using temporary data sets (e.g. DSN=&TEMP) or copying to tape (for which encryption is not supported) or simply using FTP. In fact ANY copy mechanism which uses the access method will decrypt the data if it has access to the data set (via RACF) and access to the encryption key (also via RACF). Once decrypted in your programs buffers, the program can do what it likes with the data. Contrast this with using a physical block mechanism to access the data (like DFSMSdss, FDR, or even PPRC ) which will pick up physical blocks without reference to the encryption mechanism. Care and design are required to secure your data and its encryption keys. The ENCIPHER keyword on the XMIT command uses the IDCAMS REPRO facility to encrypt. This is a rather old (> 25 years) facility which is not really related to current data set encryption. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Colin Paice Sent: 01 September 2021 16:43 To: [email protected] Subject: Am I missing something when doing XMIT with an encrypted data set? I've set up encryption for some data sets. I did an *XMIT a.a dsn(...) *of an encrypted data set, and it was sent unencrypted so I could to a TSO receive and read it with no encryption This means that your datasets on the local z/OS are very secure - but people could unwittingly send them out in the clear. If I use DFDSS to backup, and then send the dataset it works as expected. There is "ENCIPHER" on the XMIT command - but I could not get this to work. Is there some set up I need to do to prevent this? I was expecting some checks along the lines of "this dataset is encrypted, it needs additional checks - or use DFDSS under the covers" Colin ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
