> On Sep 11, 2017, at 10:27 AM, Mike Baldwin <[email protected]> wrote: > > z/OS Data Set Encryption is a fantastic new feature, kudos to IBM, and I don't > mean to detract from its wonderfulness. > > That's a good point, and I understand, if a new disk dataset is encrypted, > then copying it to tape will maintain encryption. Very good, especially for > HSM. > Mentioning 3390 makes the scope of support much clearer, thank you. > > But... > The feature is called "Data Set Encryption", not "Disk Data Set Encryption", > so there is an expectation that it would (directly) apply to tape as well. > The FAQ "difference"s does not mention that this method is different > (from Encryption Facility) with respect to device type/class, i.e. 3390 yes, > tape no. > > There are many programs that write directly to device type 3490 (and 3590-1), > both of which can be virtual (not using TS11x0 hardware encryption). > Unknown whether they are copying data from disk, or not. > I looked at 10 medium-sized customer tape databases (RMM extract, etc.), and > the > top 10 programs (other than HSM ADR* etc) were: > 1 IEBGENER > 2 DBUTLTY > 3 HASJES20 > 4 ICE* > 5 NSX* > 6 DSN* > 7 IDCAMS > 8 SYNCSORT > 9 FILEAID > 10 JHS* > > and there are many others. > Tape data has moved from off-line, to near-line, to pretty close to on-line > these days. > That is, it is very accessible, and I believe no less sensitive than data > stored on disk. > > Consider a job executing a program that writes a dataset, and the DSN > resolves to a disk dataset. > The data could be encrypted - great! > In another job, same program but a different DSN that resolves to a tape > dataset. > Not encrypted due to device type - not good. > > It would be helpful to know if there is an intent to extend this feature to > the tape device class, > or if customers need to differentiate between datasets written to disk > (potentially > encrypted) and tape (needing a different encryption technique, or change to > disk and > then backup to tape). > Also helpful would be support for EXCP access method. > Does IBM give any hints, Timothy?
This poses a question from me. Let us say you create a simple sequential data set on disk. DFHSM comes along and it is eventually migrated to tape. Is the dataset de-encrypted while on tape and then if it is recalled does it get encrypted again? The secondary question is if there is a key associated with a data set?, if so how/where is the key held? Is there someplace where I can learn about how this “magically” happens? Or is this similar to the password in the RACF database? Ed ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
