FDRCAMS DECRYPT Statement
DECRYPT statement
DECRYPT statements are used to decrypt the sequential input to a REPRO function under FDRCAMS. They are accepted only from the FDRCRYPT DD statement, but they appear in the FDRCAMS SYSPRINT listings as if they were control statements read from SYSIN. However, all key values are obscured before the statements are printed.
DECRYPT statement syntax
DECRYPT|DC | INFILE=ddn|INDATASET=dsn |
|---|---|
,AESKEY=aeskey | |
,MASTERKEY=masterkey |
On each DECRYPT statement, the INFILE= or INDATASET= operand specifies which IDCAMS REPRO functions are affected by this statement; REPRO statements with matching input ddnames or data set names are decrypted. For example,
FDRCAMS determines the encryption type used for each encrypted file read. If you are providing the decryption keys on DECRYPT statements (instead of getting them from a Encryption Keyfile), you must specify the proper type of key matching each input file. Alternately, you can specify the master key or the PKA private key if they were used during the encryption; either of these allows the actual encryption key to be recovered and used for decryption.
If a DECRYPT statement with MASTERKEY= is specified and INFILE= or INDATASET= matches the encrypted input data set, then that master key is used, and any actual key specified for the same input file (or taken from the Encryption Keyfile) is ignored. In other words, the master key is always used if specified, ignoring other keys. Likewise, if a PRIVATEKEY statement is provide for a RSA private key, it is used for all encrypted input files, ignoring other keys.
DECRYPT statement operands
INDATASET=
dsn
Specifies the input data set name for a REPRO whose sequential input file was encrypted and must be de-encrypted when the REPRO statement specifies the INDATASET(dsn) operand.
Either one of the INFILE= or INDATASET= operands must be specified, and it must match the operand specified on the matching REPRO statement.
In other words, if a REPRO statement specifies INFILE(INPUT), then the ENCRYPT statement must specify INFILE=INPUT. Likewise, if the REPRO specifies INDATASET(dsn), the ENCRYPT statement must specify INDATASET=dsn.
INFILE=
ddn
Specifies the input ddname for a REPRO whose sequential input file was encrypted and must be de-encrypted when the REPRO statement specifies the INFILE(ddn) operand.
Either one of the INFILE= or INDATASET= operands must be specified, and it must match the operand specified on the matching REPRO statement.
In other words, if a REPRO statement specifies INFILE(INPUT), then the ENCRYPT statement must specify INFILE=INTPUT. Likewise, if the REPRO specifies INDATASET(dsn), the ENCRYPT statement must specify INDATASET=dsn.
MASTERKEY=
masterkey
Specifies the 16-byte (128-bit) AES master key to be used, in hex (exactly 32 hex digits, 0-9, A-F). This can only be used if a master key was used for the file being decrypted. See FDRCRYPT-Key-Management for an explanation of the master key. Do not specify the master key if a current Encryption Keyfile is available.
AESKEY=
AK=
aeskey
Specifies the AES key to be used, if the encrypted file was created with ENCRYPTTYPE=AES or AESxxx.
Specify the key as hex digits (0-9, A-F).
For AES or AESxxx – provide exactly 32 hex digits (128 bits).
For AES192 – provide exactly 48 hex digits (192 bits).
For AES256 – provide exactly 64 hex digits (256 bits).
The key must be specified on a single statement and cannot extend past column 71; if necessary, use the short operand form AK= and the short statement form of DECRYPT (DC).
There is no need to specify AESKEY if a current Encryption Keyfile is available. AESKEY is ignored if MASTERKEY= is specified.