DECRYPT Statement
DECRYPT statement
DECRYPT statements are used with restores (RESTORE) and with FDRTCOPY/FDRTSEL (COPY) if the input backups must be decrypted. They are accepted only from the FDRCRYPT DD statement, but in the DUMP/COPY listings, they may be printed as if they were control statements read from SYSIN. However, all key values are obscured before the statements are printed.
DECRYPT statement syntax
DECRYPT|DC | |
|---|---|
VOL=volspec|(volspec,…,volspec) | |
,MASTERKEY=masterkey | |
,AESKEY=aeskey|DESKEY=tdeskey | |
On each DECRYPT statement, the VOL= operand specifies which DASD volumes are affected by this statement; if the VOL= operand is omitted, it is treated like VOL=* which affects all DASD volumes. FDR scans the statements in the order they appear looking for the first statement that applies to each volume being restored, so if you need to specify keys for certain volumes, place the DECRYPT statements for the most specific volume serials first, followed by those for more general volume serials (or all other volume serials). For example,
DECRYPT VOL=ABC001,AESKEY=119111ABFE44C291B802FF0089EF2589 DECRYPT VOL=*,AESKEY=258911ABFE44C291B802FF0089EF1191
The specified AESKEY is used for decrypting backups of volumes except ABC001, which uses the given AESKEY key.
FDRCRYPT determines the encryption type (if any) used for each backup read. If you are providing the decryption keys on DECRYPT statements (instead of getting them from a Encryption Keyfile), you must specify the proper type of key (AESKEY or DESKEY) matching each backup.
If a DECRYPT statement with MASTERKEY= is specified and VOL= matches the DASD volume being restored or copied, then that master key is used, and any actual key specified for the same volume (or taken from the Encryption Keyfile) is ignored. In other words, the master key is always used if specified, ignoring other keys.
DECRYPT statement optional operands
VOL=
volspec
Specifies the original volume serials of the DASD volumes whose backups are decrypted with the key specified on this statement. You can specify a single volume serial (up to six characters) or a VOLSER prefix (0-5 characters followed by an asterisk, for example, DB2*).
You can also combine these by enclosing the serials or prefixes in parentheses, for example,
VOL=(ABC123,ABC234,XYZ456)
VOL=(ABC*,XYZ*,LMN234,CICS*)
You can specify a maximum of 255 volume serial numbers or VOLSER prefixes. The list can be continued to the next input record by normal FDR rules, with a blank after any comma and continuing on the next line.
Default: VOL=*, which causes the statement to apply to all volumes.
MASTERKEY=
masterkey
Specifies the 16-byte (128-bit) AES master key to be used, in hex (exactly 32 hex digits, 0-9, A-F). This can only be used if a master key was used for the backup being restored. See “Master Keys” in FDRCRYPT-Techniques-and-Proceduresfor an explanation of the master key. Do not specify the master key if a current Encryption Keyfile is available.
AESKEY=
AK=
aeskey
Specifies the AES key to be used, if the backup was created with ENCRYPTTYPE=AES or AESxxx.
Specify the key as hex digits (0-9, A-F).
For AES or AES128 – provide exactly 32 hex digits (128 bits).
For AES192 – provide exactly 48 hex digits (192 bits).
For AES256 – provide exactly 64 hex digits (256 bits).
The key must be specified on a single statement and cannot extend past column 71; if necessary, use the short operand form AK= and the short statement form of DECRYPT (DC).
There is no need to specify AESKEY if a current Encryption Keyfile is available. AESKEY is ignored if MASTERKEY= is specified.
DESKEY=
DK=
tdeskey
Specifies the TDES key to be used, if the backup was created with ENCRYPTTYPE=TDES.
Specify the key as exactly 48 hex digits (0-9, A-F), which is 192 bits.
The key must be specified on a single statement and cannot extend past column 71; if necessary, use the short operand form DK= and the short statement form of DECRYPT (DC).
There is no need to specify DESKEY if a current Encryption Keyfile is available. DESKEY is ignored if MASTERKEY= is specified.