Brian, One thing that we're all assuming is that you're talking about VSAM. Is that correct?
If it's DB2 (or even IMS), there are some pretty easy ways to get encryption. DB2 V8 has a new ENCRYPT word in its SQL vocabulary for column-level encryption. There's also something called IBM Data Encryption for IMS and DB2 Databases, a utility which encrypts at the table level (and, thus, doesn't require changing any application code). It works with DB2 V7 and V8. I suppose it would be possible to combine VSAM Transparency with Data Encryption for IMS and DB2 Databases to provide encryption for a VSAM-based application without application code changes. The data actually end up in DB2 (encrypted), but your applications still think the data are in VSAM. If we're talking about VSAM (and remaining in VSAM), as we're assuming, then I would echo the earlier comments that recommend using ICSF interfaces absent a compelling reason. There are at least two reasons. First, ICSF will try to use underlying hardware crypto assist if it can, and that'll help as you change your model over to the z890. (Just choose your algorithm carefully. I would recommend clear key 3DES.) Second, ICSF manages your encryption keys. Lose the keys and you lose your data, so the keys are very important. ICSF has a long and distinguished history of managing encryption keys safely and securely, including through DR episodes. You can verify the use of the crypto assist hardware when you run the usual assortment of activity reports (e.g. RMF) or look at monitoring tools (e.g. OMEGAMON). There is an IBM statement of direction concerning the addition of cryptographic features in its TotalStorage products at some point in 2006. There may or may not be statements along those lines from other storage vendors. The hardware direction may or may not be relevant to you. (I tend to think it'll be quite useful but that crypto hardware-boosted software encryption will still be essential. And there will be some shops that want encryption over the FICON or ESCON cables.) The IBM Encryption Facility for z/OS is really geared toward tape, although it can encrypt sequential files on disk if you wish. Its primary mission is to help protect backup/archive tapes as well as tapes for partner exchange. I've posted a list of tape encryption products in the past -- check the archives -- and there are a couple others that have been mentioned since (specifically a CA-BrightStor product and the one from OpenTech). My personal opinion is that any software tape encryption product should have two basic features: support for the crypto-assist hardware (for performance reasons) and use of ICSF facilities for key management (for reliable data recoverability). Your question is good evidence that every organization will be touched by privacy protection concerns either before data loss or, in some cases, after. Since it's already happened I'm predicting that there will be some number of future corporate collapses caused by leakage of private information. I'm glad to hear your company is working ahead of the problem proactively. It's something I'm warning all clients about. - - - - - Timothy F. Sipples Consulting Enterprise Software Architect, z9/zSeries IBM Japan, Ltd. E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
