DUMP/COPY Operands for Encryption
DUMP/COPY operands for encryption
These operands can be added to an FDR, FDRDSF, FDRABR, or FDRAPPL DUMP statement to invoke encryption for backups; they can also be added to the COPY statement in FDRTCOPY and FDRTSEL to specify or override encryption on the outputs:
ENCRYPT=
Controls the use of FDRCRYPT encryption for the DASD volumes backed up or copied in this step. Values for ENCRYPT= are:
ALL
All output backups are to be encrypted.
COPY1
Only the COPY1 backups are encrypted (TAPEx for dumps and TAPEOUT for FDRTCOPY and FDRTSEL).
COPY2
Only the COPY2 backups are encrypted (TAPExx for dumps and TAPE2OUT for FDRTCOPY and FDRTSEL).
NONE
Backups are not encrypted.
Encryption includes compression so do not specify COMPRESS= if ENCRYPT= is specified. The CPU overhead of encryption is the same for encrypting one copy or both.
Additionally, do not specify RTC=YES as this operand is incompatible with encryption and can cause the FDR302 message to be printed.
Default: For backups, the default is NONE; backups are not encrypted. For FDRTCOPY and FDRTSEL, the default is to preserve the encryption of the input backup (the output has the same encryption type and key).
ENCRYPTTYPE=
Selects the default symmetric encryption technique to be used for DASD volumes backed up in this step:
AES
AES128
Advanced Encryption Standard with 128-bit key (AES-128). On a processor with an enabled AES-128 encryption assist (such as an IBM z9 system), the assist is automatically used for AES-128 encryption; otherwise, the FDRCRYPT AES software is used.
AES192
Advanced Encryption Standard with 192-bit key (AES-192).
AES256
Advanced Encryption Standard with 256-bit key (AES-256).
TDES
Triple Data Encryption Standard. On a processor with an enabled TDES encryption assist (such as an IBM z114 or z196 system), the assist is automatically used for TDES encryption; otherwise, the FDRCRYPT TDES software is used. TDES is not recommended unless you have the assist.
The ENCRYPTTYPE= operand, if specified, must follow the ENCRYPT= operand, or a control statement error results.
The default encryption technique can be overridden for specific DASD volumes on an ENCRYPT statement. You can also choose to bypass encryption for specific DASD volumes.
Examples:
DUMP TYPE=FDR,ENCRYPT=ALL,ENCRYPTTYPE=AES
DUMP TYPE=ABR,ENCRYPT=COPY2,ENCRYPTTYPE=AES256
FDRCRYPT DD statement
If ENCRYPT= is specified on a DUMP or COPY statement, and in any RESTORE step where an encrypted backup is encountered, FDRCRYPT checks for an FDRCRYPT DD statement in the step JCL. If present, it contains KEYFILE, ENCRYPT, and/or DECRYPT statements providing additional options for encryption.
Although the FDRCRYPT DD statement could be “DD *” (an in-stream data set), this means that the statements are a visible part of the job stream. If actual encryption keys or master keys are specified, this is not particularly secure and should be avoided.
For secure use when keys are specified, point FDRCRYPT to a sequential DASD data set or a member of a PDS. Use your security system to restrict access to that data set. UPDATE authority is required to update the data set and change the keys, and READ authority is required to read the file from FDRCRYPT. Remember that READ authority also allows users to display the data set and see the keys, so restrict it to the user IDs who run backups using that parameter file.
If you let FDRCRYPT generate the keys, and use a IBM RACF profile for the master key (if any), then no keys appear in the FDRCRYPT input and there is no security exposure, even if is an in-stream data set.
For backups, an FDRCRYPT DD statement is usually required to provide encryption options but it can be omitted if you take the defaults:
- The Encryption Keyfile to be used for these backups is the file named in the FDR Global Options (option KEYFILE).
- The master key is provided by a security system FACILITY class and a default value for MASTERKEYID= was specified in the FDR Global Options (see the details below).
- You let FDRCRYPT randomly generate encryption keys for each DASD volume backed up.
The FDRCRYPT DD statement can usually be omitted for restores if the Encryption Keyfile to be used is the default specified in the FDR Global Options. It must be included if you need to override the Encryption Keyfile name, specify the master key or specify actual keys for this restore step.