Greg – Thanks for your reply, it’s a great overview.
My concern is not with master keys, only with the data keys (we have tested & documented master key recovery procedures). The last half of your answer is a big help. We currently encrypt/decrypt data using one ‘data’ key for all prod data, one key for test, and so on – so we don’t have a high level of change to our key stores. Based on what you pointed out, we could use repro in our current environment, since we use only the CKDS, and the same CKDS on each LPAR (and I do understand that repro is not an ideal recovery choice, and certainly not 100%). My concern would be the deletion of a data key in error and how to recover that key when the key parts are unknown since we use KGUP to automatically generate the key. For example: -KGUP is used to create data key “X”. Data key “X” exists in ICSF memory & the CKDS vsam dataset. -Admin mistakenly deletes “X”. We still have data encrypted with “X” - we need to recover “X”. -Without knowing the key parts, we can easily restore the CKDS in its entirety from a backup when “X” existed, but what if additional key changes were made to the CKDS after “X” was deleted, but before the CKDS was restored? Without knowing the parts, at the current time, our only option would be to use REPRO on the missing record(s). So I think I have my answer – Since we shouldn’t rely on IDCAMS REPRO, and to ensure PCI compliancy, we need to create our data keys with ‘known’ key parts and at least install the ISPF panels & Rexx that allow dual key entry (not the ICSF ISPF panels used for master keys). (http://www-01.ibm.com/support/docview.wss?uid=tss1prs189) Thanks to everyone for your input. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
