Has anyone else out there looked at the overhead of encrypting all
tapes, which seems to be the approach some are advocating? The obvious
problem from the standpoint of efficiency is that good encryption of the
data, which destroys apparent patterns in the data, will make tape
hardware compression perform poorly. It seems at present that if one
wants to do tape encryption under MVS, you are also pretty much also
forced to also do data compression (first) to avoid tripling the amount
of physical tape required. You incur not only the CP overhead of of the
encryption, but that of compression as well.
We recently did a limited experiment with a software tool that can
front-end DFDSS to encrypt dumps before they are written to a device.
For a full volume dump of a 3390-3 the CPU time (on z/900-106) went from
around 5 secs for uncompressed dump to around 38 secs for a compressed
and encrypted dump, and that was with using the crypto engine. That's a
pretty significant bump if you are talking about hundreds of volumes -
in our case it adds an additional load equivalent to about one CP for
the duration of our nightly 4-hour DR dump cycle.
It would seem like the best place to perform encryption if you really
needed it for most tapes is at the tape subsystem level, so you can also
let the tape hardware compression do its thing. Has IBM or anyone else
yet considered putting a crypto engine in the tape subsystem, so both
compression and encryption could be done at this level?
Short of that, the most hardware-cost-effective technique would be to at
best only encrypt sensitive fields in datasets, or lacking that
capability only encrypt datasets with sensitive records. But, taking
that approach places a non trivial burden of correct data classification
and implementation on application development, and some things are sure
to fall through the cracks.
Staller, Allan wrote:
Is anyone aware of a method to encrypt DFHSM Backups, Dumps and ML2 data
at time of creation?
An after-the-fact copy of the data is not an acceptable option!
I have RTFM'ed and can find no indication of DFHSM/ICSF (or any other)
encryption support.
THanks in advance,
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html