I wouldn't put a key in the catalog, but another encrypted dataset ?"SYS1.CATLGKEY"? with catalog and key.
You can put everything into the master catalog, to each user having their own catalog, so the site can configure catalogs as they wish. And published procedures to split some files off to a different catalog or merge one catalog into another, both of which would require decrypt old key encrypt new key stepn added. On Tue, Jul 22, 2025 at 7:49 AM Russell Witt < [email protected]> wrote: > Mike, > > Interesting idea, but the way Pervasive Encryption from IBM works is that > the key is assigned via the External Security system (RACF, ACF2, Top > Secret) or JCL parameter or SMS Data Class. Since a catalog could be > defined to contain both PAYROLL and WAREHOUSE high-level-qualifiers in it; > would you want them encrypted with the same key? The use of ESM's to > control seems to be the primary way that IBM recommends (though coming from > the storage side I like SMS Data Class) and a RACF rule for PAYROLL data > sets is normally VERY unique and different from WAREHOUSE data sets. What I > don't like is the lack of key management. I would hate to see a requirement > that every year or two you MUST change all your RACF rules to point to a > new key. And don't get me started on what to do with old archived data - > that is a completely different topic. > > ...SNIP... > > >How about a unique key for each catalog? I.E. Master and each user > catalog. > -- > Mike A Schwab, Springfield IL USA > Where do Forest Rangers go to get away from it all? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
