On 6/19/2017 8:00 AM, Todd Arnold wrote:
- If you need "secure keys" - keys that are protected by hardware that
cannot be subverted, even by the highest-technology methods - then
use CEX. (but if you need a lower level of security, consider CPACF
Protected Key mode.)
I would note that CPACF protected keys are *very* secure, as they are
good only on the system that generates them for the life of that IPL.
While not impregnable like secure keys, they usually end up on the plus
side of scales when you consider the possibility of breaking the
encryption of a CPACF encrypted key vs the significant reduction in
elapsed time over the CEX when processing large amounts of data.
ICSF *can* convert a secure key to a CPACF protected key for use by the
cipher instructions if the appropriate options and security profiles are
established.
Regards,
Greg
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
