Re: Crypto-DASD?

[Scott T. Harder]

Ron,

Can't disagree with a thing you said.  Not sure where I've argued to the
other side of any of this.  

Thanks!

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Ron Hawkins
Sent: Thursday, February 12, 2009 5:57 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?

Scott,

Has your Storage Vendor ever replaced a failed or failing drive? Do you
know where that drive is now?

I know of several customer that purchase and stored their failed drives
because they cannot be erased using commercial software once they stop
working. I also know of one customer that has an annual "bash and burn"
session. 

A normal DASD init does not securely overwrite data on the disk drive.
It is no longer easy to read, but neither is it completely masked.
Writing over a track on disk is like driving over someone else's tire
tracks - you never completely cover up the first set of tracks unless
you drive over them a few times. 

Secure Erasure is built into the latest HDS controllers, or you can use
software like the FDR/ERASE. However, that doesn't protect data on
replaced drives, hence the requests by customers for vendors to look at
encryption of data at rest.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of
> Eric Bielefeld
> Sent: Tuesday, February 10, 2009 11:31 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: [IBM-MAIN] Crypto-DASD?
> 
> Scott,
> 
> I still can't see why if you have a box in your datacenter, that will
never
> leave your datacenter until after its useful life is over, should be
> encrypted.  How are you going to access that data accept by the z/OS
operating
> system?  That's why we have security systems.  When the box is done,
and you
> sell it or scrap it, you can always initialize all the disks.
> 
> I asked my boss at P&H Mining if he wanted me to init all the disks,
or if he
> just wanted to let Hitachi do the initialize they do whenever a box is
sold,
> and he said just let Hitachi do it.  There was sensitive data in many
files,
> but I highly doubt if anyone could have recovered any of it after it
was
> initialized by Hitachi.  This was when P&H shut down z/OS for good.
> 
> I can see the value of encrypting data on PC hard drives, after all of
the
> problems people have had with stolen PCs with sensitive data on them,
but
> mainframe dasd?  I just can't see it, or any regulations requiring it.
> 
> Eric
> 
> --
> Eric Bielefeld
> Systems Programmer
> Washington University
> St Louis, Missouri
> 314-935-3418
> 
>  "Scott T. Harder"  wrote:

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Scott T. Harder]

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Russell Witt
Sent: Wednesday, February 11, 2009 4:42 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?

Scott,

>Okay, if you think data stored on disk is "data at rest"; please define
>"disk". Does a SSD (Solid-State Drive) count as a disk drive? What
about a
>RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or
DRAM is
>a disk; then what is the difference between a RAM drive and memory in a
>computer?

I think what the regs mean by "data at rest" is "where the data lives"
or "it's home location".  As you say, the term "disk" is quite
interchangeable these days. 
 
>And of course as Phil said, the decryption should not be done on an
>"automatic" basis; but rather based on rules. And who will control
those
>rules; the external-security system. So, if the external-security
system
>will control who can access the data via automatic decryption; how is
that
>different than having the external-security system control access to
the
>data in the first place.

Agreed.  But is access to encryption keys (whether stored in ICSF
hardware or otherwise) not controlled by the security system (CSFKEYS /
CSFSERV)??  I think you could make this argument about any data you
encrypt on the system.  If you have the key, you can get to the
cleartext and access to the key is controlled by RACF, CA-ACF2, CA-TSS,
etc.

>Just my opinion, but PCI really needs to do a better job of defining
what
>needs to be done.

This is the real rub of it all, isn't it?  Absolutely agreed.

Thanks!
Scott


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on
Behalf Of Scott T. Harder
Sent: Wednesday, February 11, 2009 11:46 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?


Now, that's what I'm talkin' about.  Thanks, Timothy, for the info.

FWIW... to me, data stored on disk is data at rest.  It may not be all
the time, but I think that the intent of that phrase, as used in the
regulations, is pretty clear.  Whether they were correct in using it can
be argued, for sure, but

Thanks to everyone.  

Scott T. Harder

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Ron Hawkins]

Russell,

I'm not familiar with the wording of the standard, but it seems to me that
data at rest can be defined as data stored at its ultimate media location.
To this end data in cache, data in channels and memory, etc is not at rest
because it requires further handling or processing before it reaches the
ultimate storage media location - disk, tape, or flashdrive.

For most disk arrays this means Encrypt/Decrypt of the data occurs as it is
moves between the cache to the drive. Any overhead will be carried by the
Cipher ASIC, and will not affect the line speed of the FCAL, SATA or SAS
interface used to access the drives. Any degradation would depend on the
where and how the ASIC for is situated in the processor path to the storage
media, and would mainly affect read cache misses, write destage, and
sequential pre-fetch.

As for rules, my take on this is that if 2 out of 10 applications require
encryption, and the most cost effective way to do it is to store it all as
encrypted, then what rule has been broken?

I don't think that the standard is intended to grant or deny access to data,
but rather to deny access to data on storage media when it is removed from
those access security controls.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of
> Russell Witt
> Sent: Wednesday, February 11, 2009 1:42 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: [IBM-MAIN] Crypto-DASD?
> 
> Scott,
> 
> Okay, if you think data stored on disk is "data at rest"; please define
> "disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a
> RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM
is
> a disk; then what is the difference between a RAM drive and memory in a
> computer?
> 
> And of course as Phil said, the decryption should not be done on an
> "automatic" basis; but rather based on rules. And who will control those
> rules; the external-security system. So, if the external-security system
> will control who can access the data via automatic decryption; how is that
> different than having the external-security system control access to the
> data in the first place.
> 
> Just my opinion, but PCI really needs to do a better job of defining what
> needs to be done.
> 
> But again, just my 2-cents
> Russell
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Ron Hawkins]

Scott,

Has your Storage Vendor ever replaced a failed or failing drive? Do you know 
where that drive is now?

I know of several customer that purchase and stored their failed drives because 
they cannot be erased using commercial software once they stop working. I also 
know of one customer that has an annual "bash and burn" session. 

A normal DASD init does not securely overwrite data on the disk drive. It is no 
longer easy to read, but neither is it completely masked. Writing over a track 
on disk is like driving over someone else's tire tracks - you never completely 
cover up the first set of tracks unless you drive over them a few times. 

Secure Erasure is built into the latest HDS controllers, or you can use 
software like the FDR/ERASE. However, that doesn’t protect data on replaced 
drives, hence the requests by customers for vendors to look at encryption of 
data at rest.

Ron

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
> Eric Bielefeld
> Sent: Tuesday, February 10, 2009 11:31 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: [IBM-MAIN] Crypto-DASD?
> 
> Scott,
> 
> I still can't see why if you have a box in your datacenter, that will never
> leave your datacenter until after its useful life is over, should be
> encrypted.  How are you going to access that data accept by the z/OS operating
> system?  That's why we have security systems.  When the box is done, and you
> sell it or scrap it, you can always initialize all the disks.
> 
> I asked my boss at P&H Mining if he wanted me to init all the disks, or if he
> just wanted to let Hitachi do the initialize they do whenever a box is sold,
> and he said just let Hitachi do it.  There was sensitive data in many files,
> but I highly doubt if anyone could have recovered any of it after it was
> initialized by Hitachi.  This was when P&H shut down z/OS for good.
> 
> I can see the value of encrypting data on PC hard drives, after all of the
> problems people have had with stolen PCs with sensitive data on them, but
> mainframe dasd?  I just can't see it, or any regulations requiring it.
> 
> Eric
> 
> --
> Eric Bielefeld
> Systems Programmer
> Washington University
> St Louis, Missouri
> 314-935-3418
> 
>  "Scott T. Harder"  wrote:

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Russell Witt]

Scott,

Okay, if you think data stored on disk is "data at rest"; please define
"disk". Does a SSD (Solid-State Drive) count as a disk drive? What about a
RAM drive (using either SRAM or DRAM)? If a RAM drive using SRAM or DRAM is
a disk; then what is the difference between a RAM drive and memory in a
computer? 

And of course as Phil said, the decryption should not be done on an
"automatic" basis; but rather based on rules. And who will control those
rules; the external-security system. So, if the external-security system
will control who can access the data via automatic decryption; how is that
different than having the external-security system control access to the
data in the first place.

Just my opinion, but PCI really needs to do a better job of defining what
needs to be done.

But again, just my 2-cents
Russell

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on
Behalf Of Scott T. Harder
Sent: Wednesday, February 11, 2009 11:46 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?


Now, that's what I'm talkin' about.  Thanks, Timothy, for the info.

FWIW... to me, data stored on disk is data at rest.  It may not be all
the time, but I think that the intent of that phrase, as used in the
regulations, is pretty clear.  Whether they were correct in using it can
be argued, for sure, but

Thanks to everyone.  

Scott T. Harder

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Scott T. Harder]

Now, that's what I'm talkin' about.  Thanks, Timothy, for the info.

FWIW... to me, data stored on disk is data at rest.  It may not be all
the time, but I think that the intent of that phrase, as used in the
regulations, is pretty clear.  Whether they were correct in using it can
be argued, for sure, but

Thanks to everyone.  

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Timothy Sipples
Sent: Wednesday, February 11, 2009 8:29 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?

Yes, IBM announced full disk encryption for several DS8000 series
storage
models:

http://www.ibm.com/common/ssi/rep_ca/0/897/ENUS109-120/ENUS109-120.PDF

Lots of other interesting stuff in that announcement (and other
announcements on February 10th), including Solid State Disk (SSD)
support.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy.sipp...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Roach, Dennis (N-GHG)]

Back when a disk drive was a single entity we used CDEP (certified data
erasure program/product) to clear data to DOD specifications. 
Then IKCDSF with the correct parameters could do the job and CDEP went
away. 
Then came the array DASD and no more disk drives as we knew them. Data
was compressed and striped across several drives and you had to have a
map to determine which ones and in what order. This was good in that
when one failed, a spare took over and the "lost" data was rebuilt on
the spare. The failed drive was hot-swapped and no outage taken. The
vendor could take the drive without worry of data exposure because the
collection of bits made no sense without the map and other drives. 
Releasing the box is still a problem. Most vendors have the ability to
clear the drives to DOD standards. If you are concerned about the date,
the fee is probably worth it. 
The only other solutions are to magnetically erase the data - vendors do
not like this as it can damage other electronics.  
The other solution is to pull the drives and have a lieutenant watch a
group of privets with sledge hammers take out their frustrations on the
drives. Really hated by vendors, but I have used it in the past.

Dennis Roach
GHG Corporation
Lockheed Marten Mission Services
FDOC Contract
2100 Space Park Drive
LM-15-4BH
Houston, Texas 77058
Voice:   (281) 336-5027
Cell:(713) 591-1059
Fax: (281) 336-5410
E-Mail:  dennis.ro...@lmco.com

All opinions expressed by me are mine and may not agree with my employer
or any person, company, or thing, living or dead, on or near this or any
other planet, moon, asteroid, or other spatial object, natural or
manufactured, since the beginning of time.

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Tom Marchant
> Sent: Tuesday, February 10, 2009 2:53 PM
> >
> >When the box is done, and you sell it or scrap it, you can always
> >initialize all the disks.
> 
> Search the archives.  The topic of effectively erasing the data on
DASD
> has come up several times over the years.
> 
> Tom Marchant
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Timothy Sipples]

Yes, IBM announced full disk encryption for several DS8000 series storage
models:

http://www.ibm.com/common/ssi/rep_ca/0/897/ENUS109-120/ENUS109-120.PDF

Lots of other interesting stuff in that announcement (and other
announcements on February 10th), including Solid State Disk (SSD) support.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy.sipp...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Phil Smith]

On Tue, Feb 10, 2009 at 1:48 PM, Bohn, Dale  wrote:
> Encrypted DASD is seen by some as a simple solution to the PCI standard
> requiring the PAN (credit card number) to be encrypted when the data is at
> rest ( written to media). It would not require alteration of either system or
> application software to implement. Several vendors are working on this, but
> are waiting for the adoption of the IEEE standard on key management.

And of course they're wrong -- encrypted DASD does not meet the requirements of 
PCI, which include role-based access control. If the data is automatically 
decrypted on access, then there's no additional security from the PCI 
perspective. The only added security, as others have noted, is that if you 
accidentally leave your DS8100 at the airline gate, the kid who finds it can't 
trivially read the VSAM data ... ;-)

(And no, I'm not suggesting that you, Dale, thought it was a real solution!)


Since Scott Harder started mentioning products, I'll add that Voltage 
SecureData provides full PCI-compliant encryption -- without requiring changes 
to most applications or to database schema.
-- 
...phsiii

Phil Smith III
p...@voltage.com
Voltage Security, Inc.
www.voltage.com
(703) 476-4511 (home office)
(703) 568-6662 (cell)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[R.S.]

Thompson, Steve wrote:
[...]

Well, it seems that there are some requirements (by Auditors?) to have
data encrypted on DASD. Something about belt-suspenders kinda thing.


Well, we often hear about completely stupid auditor requirements. (Of 
course it doesn't mean that all requirements are unreasonable.)




While I might have access to a file, I do not have authority to know its
specific contents. My reason for having access is so that I may delete,
define, etc. the container (DSN), but I am not specifically authorized
to know the contents.

RACF, TSS, and ACF2, to my knowledge, do not give that kind of access.


Yes, they give. For example see DASDVOL class. Last, but not least: if 
you really want to see part of file content, i.e. given fields of record 
or selected records - then you don't need access to the file. You need 
access to *application* which in turn has the access to the file. But 
the application filters data you can see.




Think PINs, medical info, SSNs, and other sensitive data that can be
contained in files of, say, Hospital, Court System, Credit Card
Processor, etc.


Sensitivity of data has nothing to do. The methods and techniques 
remains the same.



When I teach RACF classes always start with the following "layers" of 
security (in a few words):


1. Physical security - devices have to be secured. Even encrypted disk - 
when stolen - does not work (think about DOS attack). For unencrypted 
media and cable transmission physical security is even more important. 
Maybe that's why our datacenters are not wide open... 


2. System integrity. Before I use any of the rules provided by RACF I 
have to be sure that any program(mer) can bypass these rules by 
"hacking" the system.


3. Resource access control. RACF, ACF2, other. Here we decide that 
program(mer) who wants access some data is able to do that. Want to 
browse SYS1.PAYROLL ? No problem as long as you are authorized to.


4. Encryption.
No RACF rule, no system integrity can prevent tape from being stolen and 
read. No method to prohibit out-of-the-building data transmission from 
being tapped. The only known way is to make the data unreadable.



And now we can decide what layer will be used for our DASD: 1. or 4.
Is my DASD well protected by physical means ?
If not then encryption is a must. For notebooks it seems obvious. But 
for DASD arrays residing in well protected datacenter? I doubt.


One could say "why not combine 1. and 4. - it doesn't hurt". 
Unfortunately *it hurts*. It hurts performance. We want our DASD to be 
*fast*, so encryption of data stream could be a bottleneck.


There is still issue of DASD withdrawal. Encryotion ...does not help to 
much! Encryption means you need at most n hours of time to decrypt 
it using brut-force method, doesn't it? So I would want to wipe out data 
from disk platters doesn't matter it is encrypted or not. OK, it does 
matter: leaving unencrypted data is a crime, leaving encrypted data is 
minor security breach.


Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[R.S.]

Tom Marchant wrote:

On Tue, 10 Feb 2009 13:04:42 -0600, Hal Merritt wrote:

Every record of every file is in a unpublished, often proprietary  format.


Security by obscurity?  It often is easy to figure out.


Agreed. Security by obscurity is no security. Encryption is not 
obscurity (known, proved algorithm, secret key).


The data is then compressed and written in yet another proprietary 
format over several physical devices.


Iceberg and RVA compress data.  Other DASD subsystems don't, AFAIK.  Does
STK still market the SVA?


Yes, but it's Sun now. SVA is still produced because this is the same 
box which works as VSM (kind of virtual tape server).




--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Rob Schramm]

Excellent point.  I guess 10,000 rpm might mean that the data is still 
"moving".



.. must... be .. fly on wall.. during PCI auditor exchange concerning "at 
rest" with Russell explaining. 

I suppose that "at rest" is at best a relative concept.  Since everything 
is always moving... even if cooled to absolute zero... still moving thru 
space.

Cheers,
Rob Schramm



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Russell Witt]

There is the real issue. The PCI standard required that data needs to be
encrypted when the "data is at rest". But of course, they do NOT define what
"data is at rest" means. Some say "written to any media"; but that is NOT
what the PCI standard says. If it did, then no question. But the PCI
standard says to encrypt "data at rest". Is online DASD "at rest"? In my
opinion (and this is strictly my own personal opinion) is no. To my way of
thinking, "data at rest" would imply it is on some type of removable media
that is not cable-attached directly to a machine.

For example, data on a tape/cartridge? Definitely at-rest.

Data on a USB thumb drive? Definitely at-rest.

Data on a laptop that is powered off? Ah, this gets harder. My opinion, yes.

Data on a dasd device in a secure location that is cable attached to a
mainframe? Again, in my opinion no.

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu]on
Behalf Of Bohn, Dale
Sent: Tuesday, February 10, 2009 12:48 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?


Encrypted DASD is seen by some as a simple solution to the PCI standard
requiring the PAN (credit card number) to be encrypted when the data is at
rest ( written to media). It would not require alteration of either system
or
application software to implement. Several vendors are working on this, but
are waiting for the adoption of the IEEE standard on key management.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Scott T. Harder]

I really didn't want this to turn into an argument over whether this is
necessary.  Sarbanes Oxley, PCI, and other government regulations say
it's necessary to comply, so anyone needing to comply with a whole host
of these regs has the need to encrypt data at rest.  Now... you don't
need DASD that has encryption built-in to do it, of course.  

In fact, you could purchase MegaCryption from ASPG, Inc. and use it very
nicely *and* get the additional benefits of being able to use it for B2B
exchange of encrypted data, as well as to easily encrypt DSS and/or
CA-DISK backups; all taking advantage of ICSF and/or CPACF hardware when
it makes sense to do so.  ;-)

Sorry... I couldn't resist.

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Hal Merritt
Sent: Tuesday, February 10, 2009 2:05 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?

I been reading about such, but only in a PC context.

IMNSHO, DASD encryption does not add any real security value. Every
record of every file is in a unpublished, often proprietary  format. The
data is then compressed and written in yet another proprietary format
over several physical devices. Encrypted data would defeat most all
compression algorithms, increasing raw storage requirements
substantially. That's serious dollars to mitigate a near nonexistent
threat. 

Encryption is being pushed by auditors in response to sensitive data on
PC hard drives.


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Scott T. Harder
Sent: Tuesday, February 10, 2009 11:23 AM
To: IBM-MAIN@bama.ua.edu
Subject: Crypto-DASD?

Just curious if anyone has heard anything about new DASD coming out any
time soon (or not so soon) that will have encryption built in, where
anything written to a volume on a unit supporting this would
automatically get encrypted; and decrypted when read, of course.

 

Thanks!

Scott

 

Scott T. Harder

Tech Support & Product Development

ASPG, Inc.

Ph:   239-649-1548 / Ext. 203

Fax:  239-649-6391

General Support Email:  aspgt...@aspg.com

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
NOTICE: This electronic mail message and any files transmitted with it
are intended
exclusively for the individual or entity to which it is addressed. The
message, 
together with any attachment, may contain confidential and/or privileged
information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution 
is strictly prohibited. If you have received this message in error,
please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Tom Marchant]

On Tue, 10 Feb 2009 13:04:42 -0600, Hal Merritt wrote:
>
>Every record of every file is in a unpublished, often proprietary  format.

Security by obscurity?  It often is easy to figure out.

>The data is then compressed and written in yet another proprietary 
>format over several physical devices.

Iceberg and RVA compress data.  Other DASD subsystems don't, AFAIK.  Does
STK still market the SVA?

>Encrypted data would defeat most all compression algorithms, 
>increasing raw storage requirements substantially.

That would only apply if the compression was done after the encryption.  If
it was compressed first, then encrypted, it would not.  

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Tom Marchant]

On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld wrote:
>
>When the box is done, and you sell it or scrap it, you can always 
>initialize all the disks.

Search the archives.  The topic of effectively erasing the data on DASD has
come up several times over the years.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Thompson, Steve]

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of John McKown
Sent: Tuesday, February 10, 2009 1:48 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crypto-DASD?

On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld

wrote:

>Scott,
>

>I can see the value of encrypting data on PC hard drives, after all of
the
problems people have had with stolen PCs with sensitive data on them,
but
mainframe dasd?  I just can't see it, or any regulations requiring it.
>
>Eric
>
>--
>Eric Bielefeld

And there you have it, my friend. People can understand why it is a good
idea on a PC. Therefore it is a good idea everywhere. After all, "there
is
no difference, right?" Management by fiat (I wonder what the Fiat
management
thinks about that statement). Don't think about differences. One size
fits
all. Manage everything consistently, even if it doesn't really make
sense
technically.



Well, it seems that there are some requirements (by Auditors?) to have
data encrypted on DASD. Something about belt-suspenders kinda thing.
While I might have access to a file, I do not have authority to know its
specific contents. My reason for having access is so that I may delete,
define, etc. the container (DSN), but I am not specifically authorized
to know the contents.

RACF, TSS, and ACF2, to my knowledge, do not give that kind of access.

Think PINs, medical info, SSNs, and other sensitive data that can be
contained in files of, say, Hospital, Court System, Credit Card
Processor, etc.

Regards,
Steve Thompson

-- Opinions expressed by this poster may or may not reflect those of
poster's employer. --

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[John McKown]

On Tue, 10 Feb 2009 19:31:16 +, Eric Bielefeld 
wrote:

>Scott,
>

>I can see the value of encrypting data on PC hard drives, after all of the
problems people have had with stolen PCs with sensitive data on them, but
mainframe dasd?  I just can't see it, or any regulations requiring it.
>
>Eric
>
>--
>Eric Bielefeld

And there you have it, my friend. People can understand why it is a good
idea on a PC. Therefore it is a good idea everywhere. After all, "there is
no difference, right?" Management by fiat (I wonder what the Fiat management
thinks about that statement). Don't think about differences. One size fits
all. Manage everything consistently, even if it doesn't really make sense
technically.

In the past, here, there was a pseudo-rule for us in IT. "Never come in a
little late or leave a little early. Always come in at least an hour late or
leave an hour early." Why? Because we have hourly employees who would scream
like a gut-shot panther if they saw anybody come in a bit late or leave a
little early. Even if that somebody worked 5 hours overtime the previous day.

--
John

--
John

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Eric Bielefeld]

Scott,

I still can't see why if you have a box in your datacenter, that will never 
leave your datacenter until after its useful life is over, should be encrypted. 
 How are you going to access that data accept by the z/OS operating system?  
That's why we have security systems.  When the box is done, and you sell it or 
scrap it, you can always initialize all the disks.  

I asked my boss at P&H Mining if he wanted me to init all the disks, or if he 
just wanted to let Hitachi do the initialize they do whenever a box is sold, 
and he said just let Hitachi do it.  There was sensitive data in many files, 
but I highly doubt if anyone could have recovered any of it after it was 
initialized by Hitachi.  This was when P&H shut down z/OS for good.

I can see the value of encrypting data on PC hard drives, after all of the 
problems people have had with stolen PCs with sensitive data on them, but 
mainframe dasd?  I just can't see it, or any regulations requiring it.

Eric

--
Eric Bielefeld
Systems Programmer
Washington University
St Louis, Missouri
314-935-3418

 "Scott T. Harder"  wrote: 
> Hi Eric,
> 
> I think the main reason would be to comply with govt. regulations that
> say "thow must encrypteth data at rest that contains personal/private
> information".  Credit card numbers, medical records... the usual stuff.
> 
> 
> Now it won't help B2B exchange; only situations where a company is
> required to encrypt data where it lives.  It will automatically be
> encrypted and decrypted; I imagine via a symmetric key stored in the
> hardware.  It could be good, also, for DR situations where data is
> mirrored to DASD at the DR site.  Not sure why there, because nobody
> seems worried about data mirrored to offsite disk, where they are very
> worried about tape during transport.  But, again, if the requirement is
> that the data at rest be encrypted, then that requirement - I would
> think - would extend to DR sites, as well.
> 
> I asked the original question only because I had heard that crypto-DASD
> was coming next (after the tape hardware encryption, which is obviously
> already in the field).  I haven't been able to find any information on
> the crypto-DASD topic, so I just thought I'd see what the list had
> heard.  Just fishing.
> 
> Thanks!
> Scott   
> 
> Scott T. Harder
> Tech Support & Product Development
> ASPG, Inc.
> Ph:   239-649-1548 / Ext. 203
> Fax:  239-649-6391
> General Support Email:  aspgt...@aspg.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Hal Merritt]

I been reading about such, but only in a PC context.

IMNSHO, DASD encryption does not add any real security value. Every record of 
every file is in a unpublished, often proprietary  format. The data is then 
compressed and written in yet another proprietary format over several physical 
devices. Encrypted data would defeat most all compression algorithms, 
increasing raw storage requirements substantially. That's serious dollars to 
mitigate a near nonexistent threat. 

Encryption is being pushed by auditors in response to sensitive data on PC hard 
drives.


-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Scott T. Harder
Sent: Tuesday, February 10, 2009 11:23 AM
To: IBM-MAIN@bama.ua.edu
Subject: Crypto-DASD?

Just curious if anyone has heard anything about new DASD coming out any
time soon (or not so soon) that will have encryption built in, where
anything written to a volume on a unit supporting this would
automatically get encrypted; and decrypted when read, of course.

 

Thanks!

Scott

 

Scott T. Harder

Tech Support & Product Development

ASPG, Inc.

Ph:   239-649-1548 / Ext. 203

Fax:  239-649-6391

General Support Email:  aspgt...@aspg.com

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Jim Wangler]

We had the same question about a year ago, and the only answer we could find
was two pieces of hardware  The first box was essentially an escon/ficon
converter that could emulate 3390's on SAN storage.  The second box sat
between the first box and the SAN storage and did the encrypt/decrypt.

The doc said it would work, so it must, but we never had to try it.  


Jim Wangler 
214-502-6445
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Scott T. Harder
Sent: Tuesday, February 10, 2009 11:23 AM
To: IBM-MAIN@bama.ua.edu
Subject: Crypto-DASD?

Just curious if anyone has heard anything about new DASD coming out any time
soon (or not so soon) that will have encryption built in, where anything
written to a volume on a unit supporting this would automatically get
encrypted; and decrypted when read, of course.

 

Thanks!

Scott

 

Scott T. Harder

Tech Support & Product Development

ASPG, Inc.

Ph:   239-649-1548 / Ext. 203

Fax:  239-649-6391

General Support Email:  aspgt...@aspg.com

 


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Bohn, Dale]

Encrypted DASD is seen by some as a simple solution to the PCI standard 
requiring the PAN (credit card number) to be encrypted when the data is at 
rest ( written to media). It would not require alteration of either system or 
application software to implement. Several vendors are working on this, but 
are waiting for the adoption of the IEEE standard on key management.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Lizette Koehler]

Is it so some hardware vendor to make more money by offering DASD Encryption?  
Sort of like when you buy a new car and they offer to undercoat your car for a 
price?

Lizette

> 
> I haven't heard anything about this new dasd, but I have a question.  Why 
> would you
> want everything encrypted?  If you have a dasd box in your datacenter, what 
> is the
> reason to encrypt all your data?  I can see that maybe for mirroring where 
> the data
> gets sent long distances over communication lines, but why would the average
> datacenter need this?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Scott T. Harder]

"I asked the original question only because I had heard that crypto-DASD
was coming next (after the tape hardware encryption, which is obviously
already in the field).  I haven't been able to find any information on
the crypto-DASD topic, so I just thought I'd see what the list had
heard.  Just fishing."

Of course, if you are under any kind of NDA or CDA, I don't want to hear
from you.  ;-)

Thanks!
Scott   

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com


-Original Message-
From: eric-ibmm...@wi.rr.com [mailto:eric-ibmm...@wi.rr.com] 
Sent: Tuesday, February 10, 2009 12:58 PM
To: IBM Mainframe Discussion List
Cc: Scott T. Harder
Subject: Re: Crypto-DASD?

I haven't heard anything about this new dasd, but I have a question.
Why would you want everything encrypted?  If you have a dasd box in your
datacenter, what is the reason to encrypt all your data?  I can see that
maybe for mirroring where the data gets sent long distances over
communication lines, but why would the average datacenter need this?

Eric

--
Eric Bielefeld
Systems Programmer
Washington University
St Louis, Missouri
314-935-3418

 "Scott T. Harder"  wrote: 
> Just curious if anyone has heard anything about new DASD coming out
any
> time soon (or not so soon) that will have encryption built in, where
> anything written to a volume on a unit supporting this would
> automatically get encrypted; and decrypted when read, of course.
> 
>  
> 
> Thanks!
> 
> Scott
> 
>  
> 
> Scott T. Harder
> 
> Tech Support & Product Development
> 
> ASPG, Inc.
> 
> Ph:   239-649-1548 / Ext. 203
> 
> Fax:  239-649-6391
> 
> General Support Email:  aspgt...@aspg.com
> 
>  
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Ed Finnell]

 
In a message dated 2/10/2009 12:08:45 P.M. Central Standard Time,  
joa...@swbell.net writes:

No worries if a unit is removed and replaced, or the entire array sold  off.
The data should be unrecoverable if it is all encrypted. Many data  centers
have sensitive information sprinkled around in various  files.

>>
Still ruminating over today's announcements. Makes mine head hurt!  Looks 
like they
been saving up for SHARE. Maybe with something like ProtecTIER and data  
de-duplicator
can  do faster backups and shrink the batch window while achieving  data 
compression on the fly. Doesn't say anything about encryption as far as I  can 
tell. The other shoe was sub-capacity licensing for DB/2 9.5 for z/Linuz,  
UNIX, 
Windows, and Imformix. Maybe more protein is required
 




**A Good Credit Score is 700 or Above. See yours in just 2 easy 
steps! 
(http://pr.atwola.com/promoclk/10075x1218550342x1201216770/aol?redir=http://www.freecreditreport.com/pm/default.aspx?sc=668072%26hmpgID=62%26bcd=fe
bemailfooterNO62)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Scott T. Harder]

Hi Eric,

I think the main reason would be to comply with govt. regulations that
say "thow must encrypteth data at rest that contains personal/private
information".  Credit card numbers, medical records... the usual stuff.


Now it won't help B2B exchange; only situations where a company is
required to encrypt data where it lives.  It will automatically be
encrypted and decrypted; I imagine via a symmetric key stored in the
hardware.  It could be good, also, for DR situations where data is
mirrored to DASD at the DR site.  Not sure why there, because nobody
seems worried about data mirrored to offsite disk, where they are very
worried about tape during transport.  But, again, if the requirement is
that the data at rest be encrypted, then that requirement - I would
think - would extend to DR sites, as well.

I asked the original question only because I had heard that crypto-DASD
was coming next (after the tape hardware encryption, which is obviously
already in the field).  I haven't been able to find any information on
the crypto-DASD topic, so I just thought I'd see what the list had
heard.  Just fishing.

Thanks!
Scott   

Scott T. Harder
Tech Support & Product Development
ASPG, Inc.
Ph:   239-649-1548 / Ext. 203
Fax:  239-649-6391
General Support Email:  aspgt...@aspg.com


-Original Message-
From: eric-ibmm...@wi.rr.com [mailto:eric-ibmm...@wi.rr.com] 
Sent: Tuesday, February 10, 2009 12:58 PM
To: IBM Mainframe Discussion List
Cc: Scott T. Harder
Subject: Re: Crypto-DASD?

I haven't heard anything about this new dasd, but I have a question.
Why would you want everything encrypted?  If you have a dasd box in your
datacenter, what is the reason to encrypt all your data?  I can see that
maybe for mirroring where the data gets sent long distances over
communication lines, but why would the average datacenter need this?

Eric

--
Eric Bielefeld
Systems Programmer
Washington University
St Louis, Missouri
314-935-3418

 "Scott T. Harder"  wrote: 
> Just curious if anyone has heard anything about new DASD coming out
any
> time soon (or not so soon) that will have encryption built in, where
> anything written to a volume on a unit supporting this would
> automatically get encrypted; and decrypted when read, of course.
> 
>  
> 
> Thanks!
> 
> Scott
> 
>  
> 
> Scott T. Harder
> 
> Tech Support & Product Development
> 
> ASPG, Inc.
> 
> Ph:   239-649-1548 / Ext. 203
> 
> Fax:  239-649-6391
> 
> General Support Email:  aspgt...@aspg.com
> 
>  
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[John McKown]

On Tue, 10 Feb 2009 11:58:08 -0600, Eric Bielefeld 
wrote:

>I haven't heard anything about this new dasd, but I have a question.  Why
would you want everything encrypted?  If you have a dasd box in your
datacenter, what is the reason to encrypt all your data?  I can see that
maybe for mirroring where the data gets sent long distances over
communication lines, but why would the average datacenter need this?
>
>Eric
>
>--
>Eric Bielefeld

No worries if a unit is removed and replaced, or the entire array sold off.
The data should be unrecoverable if it is all encrypted. Many data centers
have sensitive information sprinkled around in various files.

--
John

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Crypto-DASD?

[Eric Bielefeld]

I haven't heard anything about this new dasd, but I have a question.  Why would 
you want everything encrypted?  If you have a dasd box in your datacenter, what 
is the reason to encrypt all your data?  I can see that maybe for mirroring 
where the data gets sent long distances over communication lines, but why would 
the average datacenter need this?

Eric

--
Eric Bielefeld
Systems Programmer
Washington University
St Louis, Missouri
314-935-3418

 "Scott T. Harder"  wrote: 
> Just curious if anyone has heard anything about new DASD coming out any
> time soon (or not so soon) that will have encryption built in, where
> anything written to a volume on a unit supporting this would
> automatically get encrypted; and decrypted when read, of course.
> 
>  
> 
> Thanks!
> 
> Scott
> 
>  
> 
> Scott T. Harder
> 
> Tech Support & Product Development
> 
> ASPG, Inc.
> 
> Ph:   239-649-1548 / Ext. 203
> 
> Fax:  239-649-6391
> 
> General Support Email:  aspgt...@aspg.com
> 
>  
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Crypto-DASD?

[Scott T. Harder]

Just curious if anyone has heard anything about new DASD coming out any
time soon (or not so soon) that will have encryption built in, where
anything written to a volume on a unit supporting this would
automatically get encrypted; and decrypted when read, of course.

 

Thanks!

Scott

 

Scott T. Harder

Tech Support & Product Development

ASPG, Inc.

Ph:   239-649-1548 / Ext. 203

Fax:  239-649-6391

General Support Email:  aspgt...@aspg.com

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html