Jerry, You have covered the basic technical stuff.
The difficult and crucial part is how you are going to manage your encryption keys. You will need to think about the level of granularity for your keys; which applications have which keys. You will need to determine if you want separate keys for backups. You will need to consult the standards driving your encryption for the lifetime of keys; i.e. how often they need changing. Think in terms of a full key lifecycle, remembering that old backups have old keys. Think about the issues around re-enciphering large quantities of data. Think about issues around data portability. E.g. backups using ADRDSSU and different from those taken using IEBGENER. The first is encrypted under the original key. The second is encrypted under whatever key aligns to the backup data set name. How are you managing your master keys? How often must they be changed? Do you have a secure process for changing them? With encryption turned on you can delete (and effectively erase) multiple terabytes of data in the twinkling of an eye, simply by losing a key. Make sure your recovery systems manage your keys. The last project I worked on was managed as 5 streams of work. 1. Setting up ICSF for data set encryption. 2. Setting up TKE for managing master keys (including on recovery sites). 3. Setting up EKMF/WEB for data key management. 4. Performing the bulk encryption through a test/dev/prod cycle. 5. Designing processes and producing documentation. Hope that helps. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Edgington, Jerry Sent: 14 February 2022 13:23 To: [email protected] Subject: z/OS file level encryption for Nacha Requirements Hello all, We are looking at setting up z/OS file level encryption. We have 2 Data Centers, both running z15s, with 2 CryptoCards each, one running z/OS v2.1, with IMS v13 and the other running z/OS v2.3 with only VSAM. I am not an Encryption expert, but my question is, what the steps necessary to implement z/OS file level encryption. The steps I think we need to take: - Set the encryption keys, same key for each CryptoCard and same encryption keys for both z15s - Setup ICSF - Setup the CKDS and AES key datasets - Some ACF2 work - Setup/Update STGADMIN and CSFSERV classes - Setup KeyLabels for each type of dataset to be encrypted - Authorize dataset to use the various KEYLABELs as needed - Update dataset allocation to add the KEYLABEL, could be done using DATACLAS, IDCAMS - Re-allocate IMS databases with KEYLABEL We are also looking at turning on file level encryption for all datasets, including IMS on z/OS. Good or bad idea? Also, are they any other options? Thanks for all the advice and help in advance. Jerry Edgington ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
