Creating encryption keys

An encryption key file can contain one or more 64-bit (8-byte) keys and 128-bit (16-byte) keys in hexadecimal format.

Each key must also have a timestamp that identifies which key to use for an image copy when multiple keys are present in the file. The API compares the timestamp from the image copy header record with the key timestamp and selects the key with the most recent timestamp that is earlier than (less than) or the same as (equal to) the image copy timestamp.

Tip

To prevent potential problems, use only one encryption key. Using multiple encryption keys increases the possibility of procedural errors that can threaten recoverability.

The following figure contains examples of encryption keys.

* This file contains keys for BMC image copy encryption support.
*
* In these examples, a new encryption key is used every quarter of the year, but
* multiple encryption keys are not required and can cause procedural problems.
*
* The following examples are 128-bit keys:
X'A38889A289A2A388859285A886899385' 2006.274.00.00.00.0
* The following meaningful key is the hexadecimal code for 'TheKeyHasMeaning'
X'E38885D285A8C881A2D4858195899587' 2007.000.00.00.00.0
*
* The following examples are 64-bit keys:
X'C2E3E5E299A493A9' 2007.091.00.00.00.0
* The following meaningful key is the hexadecimal code for '1GoodKey'
X'F1C7969684D285A8' 2007.182.00.00.00.0

Creating encryption keys

When you create encryption keys, apply the following syntax rules:

Precede each key with the literal X in column 1, and enclose the hexadecimal string in single quotation marks.
The string can contain letters A through F and numbers 0 through 9. For a 128-bit key, specify 32 characters for the string. For a 64-bit key, specify 16 characters for the string.
Specify the timestamp following the key (on the same line) in the following format:
yyyy. ddd. hh. mm. ss. t
In this format, yyyy is the year, ddd is the Julian day of the year (1 through 365), hh is the hour (00 through 23), mm is the minute (00 through 59), ss is the second (00 through 59), and t is the tenth of a second (0 through 9).
If you specify multiple keys, specify each key on a separate line.
To create a comment, specify an asterisk (*) in column 1.

Tip

Use a meaningful or memorable character string as the basis for an encryption key so that the key can be recreated if necessary. An easy way to convert a character string to the required hexadecimal format is to use the HEX ON option in the ISPF Edit function to translate EBCDIC characters to their hexadecimal codes.

Using multiple encryption keys

If you use multiple encryption keys, you must ensure that a key is retained as long as the image copy which was encrypted with that key is still valid for recovery.

For example, an organization takes an image copy of every database during the batch window every weekend. This organization retains four generations of image copy data sets. The organization decides to implement a new encryption key every Friday before the batch window begins. The following keys are created in the encryption key file:

* Key 1 is used for image copies taken December 29 2006 through January 4 2007
X'D1B2C5A9A5A3A6D9' 2006.363.00.00.00.0
* Key 2 is used for image copies taken January 5 2007 through January 11 2007
X'59467132779258DF' 2007.005.00.00.00.0
* Key 3 is used for image copies taken January 12 2007 through January 18 2007
X'3918463071C8C6C2' 2007.012.00.00.00.0
* Key 4 is used for image copies taken January 19 2007 through January 25 2007
X'C2E3F5ED99A493A6' 2007.019.00.00.00.0
* Key 5 is used for image copies taken January 26 2007 and later
X'F6D788C1B2B65853' 2007.026.00.00.00.0

The organization must retain Key 1 until all image copy generations that were created between December 29, 2006 and January 4, 2007 have been discarded.

Creating encryption keys

Creating encryption keys

Using multiple encryption keys

On this page