Thanks. I will raise that as a query. While the DS8K's data is encrypted using SKLM this is at rest and not during transmission.
If all data is encrypted before I/O are there any performance impacts on say Z14's with lesser capable hardware encryption? On Thu, Jun 16, 2022 at 4:31 PM Timothy Sipples <sipp...@sg.ibm.com> wrote: > You can and should *cryptographically* isolate z/OS data sets using z/OS > Data Set Encryption, preferably with protected key cryptography if > available. You can find out more about this feature (and how to implement > it) here: > > https://www.ibm.com/docs/en/zos/2.5.0?topic=sets-data-set-encryption > https://www.redbooks.ibm.com/abstracts/sg248410.html > > With z/OS Data Set Encryption any/all encrypted data sets are encrypted > before I/O. By the time the data (inside the encrypted data sets) reach the > FICON Express adapters they're already encrypted. These cryptographic > separation/isolation boundaries are per individual data set if desired, so > they're highly granular. > > Whereupon you can ask *them* why they aren't encrypting all (or most) > individual files with separate keys (if/as merited), and/or why they're > using clear key encryption. :-) > > — — — — — > Timothy Sipples > Senior Architect > Digital Assets, Industry Solutions, and Cybersecurity > IBM zSystems/LinuxONE, Asia-Pacific > sipp...@sg.ibm.com > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
