" Pervasive Encryption (uppercase) refers to the "encrypt everything" (even multiple times, in multiple encryption layers) operational approach that performs extremely well on IBM z14 and second generation LinuxONE machines (Emperor II, Rockhopper II), using z/OS Data Set Encryption and/or all other available encryption techniques, as applicable. It performs so well that you shouldn't have to adjust your service level commitments on these latest machines."
Tim, My understanding is that this was a "hardware" feature and did not depend on DFSMS (except as possible an on/off switch). In you post you refer to PERVASIVE ENCRYPTION (z/14?) vs pervasive encryption (df/SMS). Can you comment on the prior posts requiring DF/SMS extended format as a pre-requisite? Thanks in advance, -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Timothy Sipples Sent: Sunday, March 31, 2019 9:32 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Pervasive encryption and batch temporary datasets Allan Staller wrote: >(z13?) or z14 processor. Pervasive encryption handled by hardware Matthew Donald wrote: >No, only in the sense that dfsms requires a CEX?S card to be installed. >Pervasive encryption is supported on z114/196 with a CEX3S or later. >The encryption is performed by sms, which uses the CPACF instructions >to perform the actual cipher/decipher operations. There are a few issues to untangle here. First of all, we're discussing z/OS Data Set Encryption. z/OS Data Set Encryption does not require Crypto Express. You can still use z/OS Data Encryption in clear key mode without Crypto Express, and that would be better (more secure, ceteris paribus) than not using z/OS Data Encryption at all. IBM recommends you use Crypto Express in conjunction with z/OS Data Set Encryption to provide key protection, but you shouldn't wait to make forward progress. As an aside, if you have an IBM z13 or z13s machine but don't have Crypto Express features and want them (and a TKE workstation probably), you should place an order well before the end of June, 2019, since the End of Marketing date is fast approaching. Your other choice is a model upgrade (MES) to z14, also available from z12 machines. z/OS Data Set Encryption requires an IBM z196/z114 or subsequent model machine. On every IBM Z machine that supports z/OS Data Set Encryption, there is at least some hardware exploitation (CPACF). To my knowledge z/OS Data Set Encryption also functions on ZPDT and IBM Z Development and Test Environment (ZDTE), although obviously Crypto Express features are not available in those environments and the performance will be markedly different. That's no great surprise, I hope. (Has anybody tried this yet?) Pervasive Encryption (uppercase) refers to the "encrypt everything" (even multiple times, in multiple encryption layers) operational approach that performs extremely well on IBM z14 and second generation LinuxONE machines (Emperor II, Rockhopper II), using z/OS Data Set Encryption and/or all other available encryption techniques, as applicable. It performs so well that you shouldn't have to adjust your service level commitments on these latest machines. You *can* pervasively encrypt (lowercase) on earlier models, but there is some processing overhead. The older the model, the more overhead there's likely to be. Consequently "Pervasive Encryption" (uppercase) applies only to the current machines, in IBM's view anyway. IBM is drawing this distinction based on the service level neutrality I just mentioned, but you shouldn't view IBM's distinction as an inhibitor. You'll just want to be a little careful about measuring impacts but still at least selectively encrypt. Remember, forward progress is better than no progress. Do what you can as soon as you can to improve your security posture. Anyway, here we're discussing z/OS Data Set Encryption which, if running on an IBM z14 machine with z/OS, is a super important part of Pervasive Encryption. Does all that make sense, or should I elaborate on any particular points? As a reminder (even if I don't mention it always), my words are my own, not IBM's. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
