Skip to Content

Key data set contents

The key data set contains one or more rows of 80 characters per row.

BMC AMI Copy ignores any characters in columns 72 through 80. Each row contains:

  • One encryption key
  • A corresponding timestamp
  • An optional encryption algorithm identifier
  • An optional comment

Related topic

Key-data-set

These fields are separated by one or more blank characters. The first character of the comment is an asterisk. Rows are ordered in the data set by timestamp with the most recent timestamp first. The current key is the key in the first row. The format of the key data set row is:

keyValue    timeStamp    encryptionAlgorithmID Comment

An example of the contents of a key data set follows:

X'0ABCDEF123456789FEDCBA000111111' 2022-02-12-12-00  *128 bit DES encryption    
X'123456789ABCDEF1'          2022-02-12-11-10
X'723DE6789000DEF1'  2022-02-12-16-40     DES   *64 bit DES encryption
X'723DE6789000DEF1723DE6789000DEF1' 2022-02-12-14-00  AES *128 bit AES encrypt
X'F1F2F3F4F5F6F7F8'  2022-02-12-12-00

BMC AMI Copy uses the contents of the key data set to determine a key value for encryption or decryption of image copies. The BMC AMI Copy COPY commands such as COPY TABLESPACE and COPY INDEXSPACE use the current key or the key in the first row of the key data set to encrypt image copies. If the timestamp in the first row is in the future, BMC AMI Copy sets the condition code to 4, issues a warning message, and creates plaintext image copies.

Encrypted image copies are registered in BMCXCOPY. As with SYSCOPY registration, BMCXCOPY registration includes a timestamp specifying when the copy was registered. The BMC AMI Copy COPY IMAGECOPY command, as well as BMC AMI Recover and BMC AMI Log Master, use this timestamp to find the correct key value in the key data set. For more information about the registration of encrypted copies, see Registration for plaintext image copies.

For example, if BMC AMI Recover selected an image copy for a recovery from BMCXCOPY with a timestamp of 2022-02-12-10.00, the encryption key and DES algorithm in the third row in the example key data set above is selected.

Key value

BMC AMI Copy supports both 64-bit and 128-bit keys. (See Encryption algorithm identifier.) The key data set can contain either or both key sizes. The key value is a clear key represented in the key data set as a string of 16 or 32 hexadecimal digits in the following format:

X'dd...'

X'dd...'The X and the quotes are required. The X must occur in the first column and be upper case. 

Timestamp

The date, hour, and minute string uses following formats:

yyyy-mm-dd-hh-mm

or

yyyy-mm-dd-hh.mm

The values are decimal numbers and are padded on the left with a zero if necessary. The timestamp must be separated from the key-value by at least one blank space.

Encryption algorithm identifier

An encryption algorithm identifier is optional in the key data set. The encryption algorithm identifiers supported are

  • DES for Data Encryption Standard (for 64-bit keys)
  • DES for Triple Data Encryption Standard (for 128-bit keys)
  • AES for Advanced Encryption Standard (requires 128-bit keys)

The algorithm identifier defaults to DES if no identifier is provided. If you provide an identifier, you must separate it from the timestamp by at least one blank. BMC AMI Copy distinguishes between the two varieties of DES based on the length of the key (64-bit or 128-bit). 

Comments

Comments are optional in the key data set. A comment begins with an asterisk that is separated from the preceding field by at least one blank.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Copy for Db2 13.1