Skip to Content

ENCRYPT Statement

ENCRYPT statement

ENCRYPT statements are used with backups (DUMP) and with FDRTCOPY/FDRTSEL (COPY) if the output is encrypted. They are accepted only from the FDRCRYPT DD statement, but in the DUMP/COPY listings they may be printed as if they were control statements read from SYSIN. However, all key values are obscured before the statements are printed.

ENCRYPT statement syntax

ENCRYPT|EC



VOL=volspec|(volspec,…,volspec)


,MASTERKEY=masterkey|MASTERKEYID=suffix


,ENCRYPTTYPE=AES|AES128|AES192|AES256|BYPASS| COMPRESS|TDES


,COMPRESS=BYPASS


,AESKEY=aeskey|DESKEY=tdeskey


,PRINTKEY=NO|YES

On each ENCRYPT statement, the VOL= operand specifies which DASD volumes are affected by this statement; if the VOL= operand is omitted, it is treated like VOL=* which affects all DASD volumes. FDR scans the statements in the order they appear looking for the first statement that applies to each volume being backed up or copied, so if you need to specify special options for certain volumes, place the ENCRYPT statements for the most specific volume serials first, followed by those for more general volume serials (or all other volume serials).

However, FDR actually scans the statements twice for each volume being backed up or copied, once to get the master key value (if any), and again to get other encryption values. Therefore, you can have two ENCRYPT statements that apply to each DASD volume, one with a master key specification, and one with other operands. For example,

ENCRYPT MASTERKEY=6242A2902565FFC58140E2DD02990034 ENCRYPT VOL=ABC*,ENCRYPTTYPE=AES ENCRYPT VOL=*,ENCRYPTTYPE=TDES

Because the ENCRYPT MASTERKEY= has no VOL= operand, it is the master key value for all backups in this step. The other statements are scanned in order, so AES encryption is used for volumes beginning with ABC, and TDES encryption for all other volumes.

You can specify multiple MASTERKEY= values, qualified by VOL=, so that different sets of volumes have different master keys. However, do not change master keys indiscriminately, since it is your responsibility to know what master keys were used for each set of backups. You may want to change the master keys on a scheduled basis, but the new keys must be carefully and securely recorded.

ENCRYPT statement required operands

VOL=

volspec

Specifies the volume serials of the DASD volumes whose backups are encrypted with the options specified on this statement. You can specify a single volume serial (up to six characters) or a VOLSER prefix (0-5 characters followed by an asterisk, for example, DB2*).

You can also combine these by enclosing the serials or prefixes in parentheses, for example

VOL=(ABC123,ABC234,XYZ456)

VOL=(ABC*,XYZ*,LMN234,CICS*)

A maximum of 255 volume serials or VOLSER prefixes can be specified. The list can be continued to the next input record by normal FDR rules, with a blank after any comma and continuing on the next line.

Default: VOL=*, which causes the statement to apply to all volumes.

Warning

Important

You cannot specify encryption parameters by SMS storage group at this time, even if you select volumes by STORGRP= in FDRABR.

ENCRYPT statement optional operands

MASTERKEY=

masterkey

Specifies the 16-byte (128-bit) AES master key to be used, in hex (exactly 32 hex digits, 0-9, A-F). A value of all zeros is invalid. See FDRCRYPT-Key-Management for an explanation of the master key.

MASTERKEYID=

suffix

Specifies the suffix of a security-system FACILITY class profile, from which the master key is obtained. The value of MASTERKEYID= is 1 to 8 alphanumeric characters, and it is appended to “FDRCRYPT.” to form the profile name. For example, MASTERKEYID=ABC looks for profile FDRCRYPT.ABC in class FACILITY in your security system. The master key is obtained from the “application data” field of that profile (see FDRCRYPT-Key-Management).

A default value can be saved in the FDR Global Options (option MASTERKEYID); this value is used if neither the MASTERKEYID= nor MASTERKEY= operand is specified.

Only VOL= can appear on an ENCRYPT statement with MASTERKEY= or MASTERKEYID=.

Error
Warning

If neither MASTERKEY= nor MASTERKEYID= are specified, and there is no default MASTERKEYID in the option table, then no master key is used when encrypting backups in this step. If the actual key used for encrypting these backups is not available, there is no way to restore the backup.

Warning

Important

Since an FDRABR or FDRDRP full-volume restore may read incremental backups and a full-volume backup while restoring each DASD volume, it is necessary that all of those backups are done using the same master key, in case the master key is needed to do the restore. Although master keys can be changed at any time, for ABR volume backups it is important that they change only when full-volume backups are taken (the beginning of a new generation).

ENCRYPTTYPE=

Overrides the global encryption type specified by the ENCRYPTTYPE= operand on the DUMP or COPY statement (that defaults to CIPHER) for the backups of specific volumes. See the description of that operand earlier in this section for the meaning of the encryption types. Valid values are:

AES

AES128

Advanced Encryption Standard with 128-bit key (AES-128). On a processor with an enabled AES-128 encryption assist (such as an IBM z10 system), the assist is automatically used for AES-128 encryption; otherwise, the FDRCRYPT AES software is used.

AES192

Advanced Encryption Standard with 192-bit key (AES-192).

AES256

Advanced Encryption Standard with 256-bit key (AES-256).

BYPASS

Do not encrypt or compress the backup of the volumes specified by VOL=.

COMPRESS

Do not encrypt the backup of the volumes specified by VOL=, but do compress them.

TDES

Triple Data Encryption Standard. On a processor with an enabled TDES encryption assist (such as an IBM z114 or z196 system), the assist is automatically used for TDES encryption; otherwise, the FDRCRYPT TDES software is used. TDES is not recommended unless you have the assist.

COMPRESS=

BYPASS

Bypasses the FDR compression that is normally done on each backup block before it is encrypted. This is not recommended unless you know that the DASD data is already compressed or is naturally incompressible, since the overhead of the FDR compression routine increases with incompressible data.

Error
Warning

If you use COMPRESS=BYPASS on data that is compressible, then the CPU overhead of the encryption algorithms increases, because more data must be encrypted.

AESKEY=

AK=

aeskey

Specifies the AES key to be used, if ENCRYPTTYPE=AES or AESxxx is in effect. The US government specifications for AES say that there are no weak keys in AES, but we recommend that you avoid repetitive strings or many duplicate characters.

Specify the key as hex digits (0-9, A-F).

For AES or AES128 – provide exactly 32 hex digits (128 bits).

For AES192 – provide exactly 48 hex digits (192 bits).

For AES256 – provide exactly 64 hex digits (256 bits).

The key must be specified on a single statement and cannot extend past column 71; if necessary, use the short operand form AK= and the short statement form of ENCRYPT (EC).

If omitted or a key of all zeros is specified, a key is randomly generated by FDRCRYPT.

Success

Tip

We recommend that you omit AESKEY= and let FDRCRYPT generate the AES key only if a master key was specified. If no master key is in effect, specify the AES key to be used.

DESKEY=

DK=

tdeskey

Specifies the TDES key to be used, if ENCRYPTTYPE=TDES is in effect.

Specify the key as exactly 48 hex digits (0-9, A-F), which is 192 bits. The key must be specified on a single statement and cannot extend past column 71; if necessary, use the short operand form DK= and the short statement form of ENCRYPT (EC).

If omitted or a key of all zeros is specified, a key is randomly generated by FDRCRYPT.

Success

Tip

We recommend that you omit DESKEY= and let FDRCRYPT generate the TDES key only if a master key was specified. If no master key is in effect, the TDES key to be used.

PRINTKEY=

Controls whether the AES or TDES key used for each backup is displayed in the FDR listing:

NO

Keys are not displayed.

YES

Keys are displayed, allowing the printed listing to serve as a backup for the Encryption Keyfile.

Master keys are never displayed.

Default: YES

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Compuware FDR 5.04