FDRCRYPT RESTORE Examples

All examples in this section can be found in the JCL library installed with FDR. The member names are EX7121x.

Important

  • The following examples show a variety of FDR restore functions, including FDR, FDRDSF, and FDRABR. However, FDRCRYPT works essentially the same no matter which type of FDR operation is performed. So an example shown for PGM=FDR works just as well with PGM=FDRABR or FDRDSF, and vice versa. Although the name of the Encryption Keyfile in these examples contains the word “KEYFILE” for clarity, we recommend that for additional security the actual names used in your installation do not identify these as FDRCRYPT Encryption Keyfiles.
  • The FDRCRYPT DD statement is shown as an in-line data set (DD *) in many examples for simplicity, but actually this is not recommended if key values are included, since this may be a security exposure. For best security, point FDRCRYPT to a DASD data set that is secured by your security system.

Restore an encrypted FDR backup example

This simple example restores one DASD volume with FDR. The backup was encrypted by FDRCRYPT. During the restore, FDRCRYPT automatically detects that the backup was encrypted and the type of encryption used. Since no FDRCRYPT DD statement is provided, FDRCRYPT allocates the Encryption Keyfile specified in the FDR Global Options and locates the encryption key for this backup. The data is decrypted and restored.

Important

For all types of restores, if the encryption keys were stored in the Encryption Keyfile identified by the 

FDR

 Global Options, and that Encryption Keyfile is available, then no FDRCRYPT DD statement or special options are required to restore from encrypted backups. This is especially important if you encrypt your FDRABR Archive backups, so that auto-recall can work.

//RESTORE  EXEC PGM=FDR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//DISK1    DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=123456
//TAPE1    DD DSN=BACKUP.V123456(0),DISP=OLD
//SYSIN    DD *
 RESTORE  TYPE=FDR
/*

RESTORE an encrypted data set backup example

This example restores data sets from the AES encrypted backups of two DASD volumes. Because the Encryption Keyfile used during the backups is not available, the 128-bit AES key of each backup is provided in the FDRCRYPT DD statement.

Important

The type of key provided (for example, AESKEY) must match the encryption type used to encrypt the tape.

//RESTORE  EXEC PGM=FDR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//DISK1    DD UNIT=SYSALLDA,DISP=OLD,VOL=SER=123456
//TAPE1    DD DSN=BACKUP.V123456(0),DISP=OLD
//SYSIN    DD *
 RESTORE  TYPE=FDR
/*

Data set “PAYROLL.FDRCRYPT.RESTOPT” contains these statements:

 KEYFILE  DSN=NULLFILE
  DECRYPT  VOL=LIB001,AESKEY=A342CC0012947FE71442344773F6DEA8
  DECRYPT  VOL=LIB002,AESKEY=947FEA34213F6DEA8CC4423447700127

Restore encrypted FDRABR volume backups example

This example does ABR full-volume restores of a set of volumes whose backups were encrypted. The restore is being done at a disaster recovery site, but the Encryption Keyfile in which the encryption keys were stored is not available, so the master key used for the backups is specified. Volumes starting with “SALE” used one master key; all other backups used another master key, so both are provided.

The master key allows FDRCRYPT to access an encrypted form of the actual key from each backup, and decrypt the data. It does not matter what encryption type was used. ONLY use this type of restore if the Encryption Keyfile or the individual encryption keys cannot be provided. The master key must be kept extremely secure and used only by authorized individuals when necessary. A restore using a master key can be done only if a master key was specified during the backup.

Since this ABR full-volume restore may read incremental backups and a full-volume backup while restoring each DASD volume, it is necessary that all of those backups were done using the same master key. Although master keys can be changed at any time, for ABR volume backups it is important that they change only when full-volume backups are taken (the beginning of a new generation).

//RESTORE  EXEC PGM=FDRABR,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN    DD *
 RESTORE  TYPE=FDR,CPYVOLID=YES,CONFMESS=NO,DYNTAPE,ONLINE
 SELECT   VOL=SALE01,NVOL=DR0001
 SELECT   VOL=SALE02,NVOL=DR0002
 SELECT   VOL=PROD01,NVOL=DR0003
 SELECT   VOL=PROD02,NVOL=DR0004
 SELECT   VOL=PROD03,NVOL=DR0005
 SELECT   VOL=PROD04,NVOL=DR0006
/*
//FDRCRYPT DD *
  KEYFILE  DSN=NULLFILE     DO NOT ATTEMPT TO OPEN THE KEY FILE
  DECRYPT  VOL=SALE*,MASTERKEY=A342CC0012947FE71442344773F6DEA8
  DECRYPT  VOL=*,MASTERKEY=947FEA34213F6DEA8CC4423447700127
/*

Restore encrypted backups with FDRDRP example

This example does FDRDRP full-volume restores of a set of volumes whose ABR backups were encrypted. The Encryption Keyfile used for these backups was previously restored and its name is specified.

//RESTORE  EXEC PGM=FDRDRP,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSIN    DD *
 RESTORE  TYPE=DRP,CPYVOLID=YES
 SELECT   VOL=DB2001,NVOL=DR0001
 SELECT   VOL=DB2002,NVOL=DR0002
 SELECT   VOL=DB2003,NVOL=DR0003
  …
/*
//FDRCRYPT DD *
  KEYFILE  DSN=FDRABR.KEYFILE
/*

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*