This is up to the user.
IBM *strongly recommends* the key should be kept as secure.
However for non-production environments it is possible to use Pervasive
Encryption without CryptoExpress cards. It's fine that you don't have to
buy yet another CEXC.
BTW: Pervasive Encryption is never serviced by CryptoExpress cards and
secure keys. Due to performance reasons it is serviced by CPACF and
protected key. CryptoExpress CCA Coprocessor is needed only to keep the
dataset key safe (encrypted using MK) in CKDS.
Note: Protected key is neither secure key nor clear key. Technically it
is not clear, but the way of protection the key is not certified by
authorities and standards.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 09.06.2022 o 13:35, Lennie Dymoke-Bradshaw pisze:
I was under the impression that there is no technical requirement for the key
to be a secure key. So data encryption can be used with clear keys in the CKDS
when a Crypto Express is not available.
Lennie Dymoke-Bradshaw
https://rsclweb.com
‘Dance like no one is watching. Encrypt like everyone is.’
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Mark Jacobs
Sent: 09 June 2022 01:48
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Encrypted dataset - any eye catcher?
I found this in a 2017 IBM Security presentation. So it looks like it's XTS-AES.
Key label: 64-byte label of an existing key in the ICSF CKDS used for access
method encryption/decryption. Encryption type: AES-256 bit data key (XTS,
protected key). Note: AES-256 key must be generated as a secure key (i.e.
protected by crypto express AES Master Key)
Mark Jacobs
Sent from ProtonMail, Swiss-based encrypted email.
GPG Public Key -
https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com
------- Original Message -------
On Wednesday, June 8th, 2022 at 8:38 PM, Phil Smith III <li...@akphs.com> wrote:
Radoslaw's question makes me ask a pure curiosity question: what AES
mode is used by z/OS data set encryption? I Googled but all I found
was "256-bit AES", which doesn't answer the question.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN