Key encrypt/decrypt exits
The Key Encrypt/Decrypt exits (ENCRYPT, ENCRYPTC and ENCRYPTN) include record level and field level encryption/decryption. The user has the ability to apply an encryption key of up to 248 bytes for both the record and field level exits. If applied, this key must be supplied to correctly decrypt the file. The application of an encryption key provides an additional level of security that was not available in the previous versions.
ENCRYPT, ENCRYPTC and ENCRYPTN will process fields longer than 256 bytes.
Field level exit (with encryption key)
Field Level encryption enables the user to encrypt individual fields. Using the field level exit with an encryption key provides a more sophisticated and secure algorithm.
To supply an encryption key to the field level exit, specify E to encrypt or D to decrypt followed by one space then the encryption/decryption key. As shown in the following figure, the EMP-FIRST-NAME field will be encrypted using the “samplekey” encryption key.
For added security, you can code DSN=dataset name instead of the actual encryption key. At execution time, File-AID/Data Solutions reads the named data set and uses the encryption key specified in the data set. This facilitates hiding the encryption key. For more information, see Storing Encryption Key In A Separate Dataset.
Field Level Exit (with encryption key)
-------------------------------------------------------------------------------
File-AID/Data Solutions ------- Data Encryption Criteria ----------------------
COMMAND ===> SCROLL ===> PAGE
SET 1 OF 1 EMPLOYEE-MASTER-FILE GBL = N SEL = N
---- FIELD LEVEL/NAME ------- -FORMAT- RO ----PARAMETERS---- + ENCRYPTION NAME
******************************* TOP OF DATA ***********************************
5 EMP-NUMBER 5/AN
5 EMP-LAST-NAME 15/AN
5 EMP-FIRST-NAME 10/AN EX E samplekey ENCRYPT
5 EMP-MID-INIT 1/AN
5 FILLER 2/AN
5 EMP-TITLE 30/AN
5 EMP-PERSONAL-INFO SYNC 23/GRP
10 EMP-NATL-ID-NUMBER 9/NUM
10 FILLER 1/AN
10 EMP-DATE-OF-BIRTH 6/AN
10 EMP-DOB-REDEF REDEFINES EMP-DATE-OF-BIRTH
10 EMP-DOB-REDEF SYNC 6/GRP
15 EMP-DOB-MM 2/NUM
15 EMP-DOB-DD 2/NUM
Valid RO: EX, EP, FM - For a list of exits, leave ENCRYPTION NAME blank.
Commands: SELect, GBL, View
The EMP-FIRST-NAME field will now be encrypted with the samplekey encryption key and the user will need to provide this key to decrypt the field.
The following rules must be followed when using an encryption key:
- The encryption key must contain alphanumeric characters (A-Z) or (0-9).
- The encryption key is not case sensitive for encryption or decryption exits.
- The encryption key length cannot exceed 248 bytes.
- Exactly one space is required between E or D and the encryption key supplied by the user.
- You must specify the encryption key on the Field Exit Parameters screen, if its length is greater than 16 characters. This panel is displayed by entering EP in the RO column.
- After applying field level encryption, the format of the encrypted fields is preserved and the encrypted file can be used for testing purposes.
- To maintain sign integrity on zoned decimal fields you must specify a Field Mask. This will assure the sign never changes. See Field Mask for a description of its features.
Field level exit (without encryption key)
The Field Level exit without the encryption key provides encryption identical to the original non-keyed encryption exit available in prior releases. As shown in the below figure the encryption key is omitted.
Field Level Exit (without encryption key)
-------------------------------------------------------------------------------
File-AID/Data Solutions ------- Data Encryption Criteria ----------------------
COMMAND ===> SCROLL ===> PAGE
SET 1 OF 1 EMPLOYEE-MASTER-FILE GBL = N SEL = N
---- FIELD LEVEL/NAME ------- -FORMAT- RO ----PARAMETERS---- + ENCRYPTION NAME
******************************* TOP OF DATA ***********************************
5 EMP-NUMBER 5/AN
5 EMP-LAST-NAME 15/AN
5 EMP-FIRST-NAME 10/AN EX E ENCRYPT
5 EMP-MID-INIT 1/AN
5 FILLER 2/AN
5 EMP-TITLE 30/AN
5 EMP-PERSONAL-INFO SYNC 23/GRP
10 EMP-NATL-ID-NUMBER 9/NUM
10 FILLER 1/AN
10 EMP-DATE-OF-BIRTH 6/AN
10 EMP-DOB-REDEF REDEFINES EMP-DATE-OF-BIRTH
10 EMP-DOB-REDEF SYNC 6/GRP
15 EMP-DOB-MM 2/NUM
15 EMP-DOB-DD 2/NUM
Valid RO: EX, EP, FM - For a list of exits, leave ENCRYPTION NAME blank.
Commands: SELect, GBL, View
Record level exit (with encryption key)
Record level encryption enables the user to:
- Encrypt an entire record
- Transfer data files from one location to another with a degree of security.
Because record level encryption enables transfer of data, it supports the application of a user written or an industry standard encryption routine.
A sample routine for record level encryption is provided on the distribution tape for the extension. This routine is provided in both source (EXITR101) and object (UDAER101). The sample encrypts data in a fashion that makes it unusable until it has been decrypted at the target location.
To supply record level encryption with encryption key, specify R immediately following (without typing the space) the E to encrypt or D to decrypt. The encryption key, “HELLO” immediately follows the letter R as shown in the following figure.
Record Level Exit (with encryption key)
-------------------------------------------------------------------------------
File-AID/Data Solutions ------- Data Encryption Criteria ----------------------
COMMAND ===> SCROLL ===> PAGE
SET 1 OF 1 EMPLOYEE-MASTER-FILE GBL = N SEL = N
---- FIELD LEVEL/NAME ------- -FORMAT- RO ----PARAMETERS---- + ENCRYPTION NAME
******************************* TOP OF DATA ***********************************
5 EMP-NUMBER 5/AN
5 EMP-LAST-NAME 15/AN
5 EMP-FIRST-NAME 10/AN EX ERHELLO ENCRYPT
5 EMP-MID-INIT 1/AN
5 FILLER 2/AN
5 EMP-TITLE 30/AN
5 EMP-PERSONAL-INFO SYNC 23/GRP
10 EMP-NATL-ID-NUMBER 9/NUM
10 FILLER 1/AN
10 EMP-DATE-OF-BIRTH 6/AN
10 EMP-DOB-REDEF REDEFINES EMP-DATE-OF-BIRTH
10 EMP-DOB-REDEF SYNC 6/GRP
15 EMP-DOB-MM 2/NUM
15 EMP-DOB-DD 2/NUM
Valid RO: EX, EP, FM - For a list of exits, leave ENCRYPTION NAME blank.
Commands: SELect, GBL, View
- The encryption key length cannot exceed 248 bytes.
- Record level encryption can be specified on any field, but the exit will be executed only once per record.
- After applying record level encryption, the format of the encrypted fields is not preserved and the encrypted file cannot be used for testing purposes.
If you wish to add/write your own Record Level Encryption Exit or apply an industry standard routine, you need to review the EXIT in member EXITR101 in the sample library (hlq.SXVJSAMP). The CSECT name and object module name for this exit must be EXITR101.
To link a user written Record Level Encryption Exit, use the JCL located in sample library member JCLXR101.
Encryption key considerations
Remembering the encryption key
The encryption key is saved in the Change Criteria dataset on the COPY Execution Options screen, if the Save change criteria field is set to Y, unless the DSN=dataset name option was used.
If you cannot recall the encryption key, you can retrieve it by browsing the Change Criteria member and/or the encryption key file. If you forget the Change Criteria dataset and member and/or the encryption key file name, the encryption key cannot be retrieved.
You cannot decrypt any encrypted fields without the encryption key. An UPDATE is not allowed for this reason.
You must use the “Copy” function to use the Encryption/Decryption Extensions. The Copy function enables access to the original data even if you forget the encryption key as the original data is the source file and not the target.
Securing the Encryption Key
To secure the encryption key, replace the key with DSN=dataset name, where data set name is the fully-qualified data set name of a file that contains the actual encryption key, beginning in position 1 of the first record. The file can be secured using your standard security system (e.g. RACF). This method is available for the ENCRYPT, ENCRYPTC and ENCRYPTN field exits only.
If you do not use this method to secure the encryption key, then the key may not be secure. The encryption key is saved in the Change Criteria dataset, and a user with read access to the Change Criteria dataset also has access to the encryption key.
To secure the Change Criteria dataset, use your standard security system (e.g., RACF) to guard against undesired access.
Using an Incorrect Encryption Key
If an incorrect encryption key is used to decrypt a file, then the resulting file will not be equivalent to the original file.
To undo these changes, you must execute an encryption using the same incorrect encryption key. You can then execute the decryption, using the correct encryption key.
Running Consecutive Encryptions
Encrypting a file twice requires decrypting the same file two times to retrieve the original data. The decryption must be performed in the opposite order the encryption was performed.
For example, if a file was encrypted using keys A and B then to decrypt the file, you must use keys B and A to retrieve your original data file.
Keyed VSAM, DB2, or IMS files
Encryption/Decryption Extensions can be used for keyed VSAM, DB2 or IMS files. Special attention must be paid to ensure that the key field(s) remain in sequence.
To avoid errors, follow the steps below for a encrypted key field:
- Specify a sequential file as the encryption output.
- Sort the sequential file by the key.
- Load the sequential file into a new VSAM, DB2 or IMS file.
If the key field is not one of the fields being encrypted, then encryption can proceed without further considerations.