Encrypting and decrypting image copies

Business continuity plans usually involve sending an organization’s important data to a remote recovery site.

Transmission and storage of offsite data increases the probability that this data could be lost or stolen. As more organizations implement disaster recovery plans, incidents involving data security breaches are increasingly frequent. These incidents are also increasingly costly in the harm that they cause to organizations and their customers, clients, and associates. Even if the data is not misused, the potential for harm is costly because of the notification, alerts, and other measures that must be taken in the aftermath of a breach.

By encrypting image copy data sets that are sent offsite, you reduce the possibility of unauthorized access to sensitive information. If the data set is lost or stolen, it is unusable without the key and the means to use the key.

BMC AMI Backup and Recovery for IMS utilities use an application program interface (API) to call standard z/OS data encryption services to encrypt and decrypt image copy data sets. The API supports 64-bit and 128-bit encryption keys. The file that contains encryption keys is allocated dynamically.

To request encryption of an output secondary image copy (copies 2 through 10), you use the ENCRYPT option in a dynamic allocation model. The primary copy cannot be encrypted. BMC products (at supported levels) automatically recognize that an input image copy is encrypted and handle it appropriately.

You can use the Copy Image Copy (CIC) function of the Image Copy utility to read an encrypted image copy and create a decrypted image copy, which you can use as input to a program or process that does not support encrypted image copies.

This section contains the following topics: