Hi Colin, Best way probably varies depending on the use case, but basically you have two choices; public or private key cryptography. With private key (aka symmetric ) the same key is used to encrypt and decrypt, and the key must be securely shared among business partners (a vulnerability). Pervasive or z/OS data set encryption uses private key encryption.
With public key model (aka asymmetric) a key pair is generated and the keys are mathematically related, this enables the secure sharing of a public key with another organization. Public key cryptography is quite elegant IMO and solves your chicken/egg issue. There are many more moving parts (see the latest draft of RFC 4880 for a look under the OPGP hood) , but most implementations do a good job of hiding extraneous stuff. OpenPGP and OpenSSL are crypto systems based on the public key model. Secure email systems are typically use one of these. A decent public key intro lives here https://en.wikipedia.org/wiki/Public-key_cryptography . Charles Mills gave an xlnt presentation which included coverage of the public key model in Oct 2020... https://www.newera-info.com/CM1.html HTH, Mike -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Colin Paice Sent: Thursday, July 22, 2021 10:08 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: How should I send file to another sysplex securely. Caution! This message was sent from outside your organization. I was wondering the best way customers send sensitive data between z/OS images. I was thinking about exporting one's private certificates. 1. I can create a dataset of the private certificates on system 1 and have it encrypted. I can send it to the other system. How can I decrypt it on the remote system as it needs shared certificates? It seems a chicken and egg problem 2. I can put a password on the file through JCL and use FTPS to send it. This could easily be broken This is hypothetical, but I would be interested in how to do it. Colin Paice ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
