The "Encryption Facility for z/VSE" product is used to transport data
between VSE and z/OS or other platform that would accept data encrypted
by ""Encryption Facility for z/OS".
It does *not* support "data at rest". It does allow you to copy and
encrypt a file, but the whole file has to be decrypted and restored
before it can be used by the system. That is not "data at rest"
There is only one "data at rest" product for VSE. Dino/Protect.
I developed Dino/Protect back in 2007. http://www.dinoprotect.com
But, here is the real crux of the matter. While I sold about a dozen
copies of the back-up encryption piece, nobody in the VSE community
though "data at rest" was needed. All they want is encrypted backups.
And, since then, encrypted tape drives have been developed by IBM so
everybody is going that route.
So, it's available, but nobody came to the party.
For those that are wondering about the key, the root for the key is a
random string somewhere in the middle of the software. The root is
manipulated, then ORed, then encrypted, then manipulated again prior to
actually being used as the key to call CPACF. (The manipulation and
encryption is also done by the CPACF.) And, while it's just 128 AES, I
could easily support any key length supported by CPACF.
The software even supports encrypting just specific fields, of any
length, within the record. It also has program controls so that an
IDCAMS EXPORT does not decrypt the data during backups.
But, again, nobody came to the party. :-(
Tony Thigpen
Joerg Schmidbauer wrote on 06/19/2017 09:22 AM:
Todd pointed me to this topic, because it's a z/VSE related question, not z/OS.
From my point of view Tony and Todd explained everything correctly.
Just one additional info:
There is an optional feature "Encryption Facility for z/VSE" that allows
encrypting
data at rest (Librarian members, VSAM files, backup tapes, real tapes and
vtapes).
It's functionality and usage is described in the z/VSE Administration Guide:
https://www.ibm.com/systems/z/os/zvse/documentation/#vse
It uses CPACF and crypto cards transparently. CPACF is used for encrypting the
data. A crypto card is needed only when using public-key encryption (refer to
the book)
with an RSA key greater than 1024 bits. The other option is "password-based"
encryption, where the symmetric key gets derived from a password/passphrase.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
