Re: Encrypted dataset - any eye catcher?

Fri, 10 Jun 2022 04:08:24 -0700 

This is up to the user.
IBM *strongly recommends* the key should be kept as secure.
However for non-production environments it is possible to use Pervasive Encryption without CryptoExpress cards. It's fine that you don't have to buy yet another CEXC. 


BTW: Pervasive Encryption is never serviced by CryptoExpress cards and 
secure keys. Due to performance reasons it is serviced by CPACF and 
protected key. CryptoExpress CCA Coprocessor is needed only to keep the 
dataset key safe (encrypted using MK) in CKDS.



Note: Protected key is neither secure key nor clear key. Technically it 
is not clear, but the way of protection the key is not certified by 
authorities and standards.


--
Radoslaw Skorupka
Lodz, Poland




W dniu 09.06.2022 o 13:35, Lennie Dymoke-Bradshaw pisze:

I was under the impression that there is no technical requirement for the key 
to be a secure key. So data encryption can be used with clear keys in the CKDS 
when a Crypto Express is not available.

Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of 
Mark Jacobs
Sent: 09 June 2022 01:48
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encrypted dataset - any eye catcher?

I found this in a 2017 IBM Security presentation. So it looks like it's XTS-AES.

Key label: 64-byte label of an existing key in the ICSF CKDS used for access 
method encryption/decryption. Encryption type: AES-256 bit data key (XTS, 
protected key). Note: AES-256 key must be generated as a secure key (i.e. 
protected by crypto express AES Master Key)

Mark Jacobs

Sent from ProtonMail, Swiss-based encrypted email.

GPG Public Key - 
https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com


------- Original Message -------
On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <li...@akphs.com> wrote:



Radoslaw's question makes me ask a pure curiosity question: what AES
mode is used by z/OS data set encryption? I Googled but all I found
was "256-bit AES", which doesn't answer the question.





----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN






















					Reply via email to