Skip to Content

FDRCRYPT Encryption Keyfile Backup and Restore

In order to use the FDRCRYPT Encryption Keyfile for restores off-site, such as at a disaster recovery site, you must securely transport a current copy of the Encryption Keyfile to that site. This must be a copy taken after all of the daily backups are complete, so that it contains the keys used for those backups.

One way to do so is to use FDRDSF to backup and restore the Encryption Keyfile, using AES encryption for that backup. The AES encryption key should be different from that used for other backups; this key must be securely transmitted to the restore site, perhaps by secure e-mail, in order to restore the Encryption Keyfile. You can electronically transmit the backup listing to the restore site, by secure e-mail or FTP, especially if you let FDRCRYPT generate the keys.

If the backup itself is put onto a tape, transport this tape to the restore site separately from the regular encrypted backups. If you put it on DASD, the backup can be electronically transmitted to the restore site, by secure e-mail or FTP.

Warning

Important

Although the names of the Encryption Keyfile and its backups in these examples contain the word “KEYFILE” for clarity, we recommend that for additional security the actual names used in your installation do not identify these as FDRCRYPT Encryption Keyfiles.

All examples in this section are found in the JCL library installed with FDR. The member names are EX7123x.

Backup the encryption Keyfile to tape example

This backs up the FDRCRYPT Encryption Keyfile to two tapes, encrypted with an AES 128-bit key generated by FDRCRYPT. A master key, stored in security profile FACILITY/FDRCRYPT.KEYFILE is also used. Send one or both of these backups to the recovery site, separately from the other backups.

//DUMPKEY EXEC PGM=FDRDSF,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //DISK1 DD DSN=FDRCRYPT.KEYFILE,DISP=OLD //TAPE1 DD DSN=BACKUP1.KEYFILE1(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //TAPE11 DD DSN=BACKUP2.KEYFILE2(+1),DISP=(,CATLG), // UNIT=CART,EXPDT=99000 //SYSIN DD * DUMP TYPE=DSF,ENCRYPT=ALL,ENCRYPTTYPE=AES SELECT DSN=FDRCRYPT.KEYFILE /* //FDRCRYPT DD * KEYFILE DSN=FDRCRYPT.KEYFILE ENCRYPT MASTERKEYID=KEYFILE /*

Backup the encryption Keyfile to DASD example

This backs up the FDRCRYPT Encryption Keyfile to a DASD data set, encrypted with an AES 128-bit key. Since FDR backups on DASD do not contain records greater than 32760 bytes in length, this backup can be sent to the recovery site electronically, either via secure e-mail or FTP.

//DUMPKEY EXEC PGM=FDRDSF,REGION=0M /SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //DISK1 DD DSN=FDRCRYPT.KEYFILE,DISP=OLD //TAPE1 DD DSN=BACKUP1.KEYFILE1(+1),DISP=(,CATLG), // UNIT=SYSALLDA,SPACE=(CYL,(50,5),RLSE) //SYSIN DD * DUMP TYPE=DSF,ENCRYPT=ALL,ENCRYPTTYPE=AES SELECT DSN=FDRCRYPT.KEYFILE /* //FDRCRYPT DD DSN=FDRCRYPT.KEYFILE.OPTIONS,DISP=SHR

Data set “FDRCRYPT.KEYFILE.OPTIONS” contains these statements:

KEYFILE DSN=FDRCRYPT.KEYFILE ENCRYPT AESKEY=2C447C0A34012947FDEAE71442373F68

Restore the encryption Keyfile at the recovery site example

This restores the FDRCRYPT Encryption Keyfile to DASD, providing the 128-bit AES key used during backup. If the backup file is not cataloged, then UNIT and VOL parameters must be provided. NVOL= specified the volume to which it is restored. DSN=NULLFILE is specified on the KEYFILE statement because the Encryption Keyfile does not yet exist.

Warning

Important

If you are restoring on a starter system at the recovery site, you probably want to restore the Encryption Keyfile to a volume belonging to the starter system. Once the backup of the volume where the Encryption Keyfile normally resides is restored, run the restore again to updating the copy on that volume with the current keys.

//RESTKEY EXEC PGM=FDRDSF,REGION=0M //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //TAPE1 DD DSN=BACKUP1.KEYFILE1(0),DISP=OLD //FDRCRYPT DD * KEYFILE DSN=NULLFILE DECRYPT AESKEY=2C447C0A34012947FDEAE71442373F68 /* //SYSIN DD * RESTORE TYPE=DSF SELECT DSN=FDRCRYPT.KEYFILE,NVOL=vol /*

Erasing the encryption Keyfile at the recovery site example

This FDRCRYFM job overwrites and reformats the Encryption Keyfile when you leave the recovery site, to insure that your keys are not compromised by the next user of the site.

//FORMAT EXEC PGM=FDRCRYFM,REGION=0M //* WARNING: THIS JOB ERASES ALL SAVED ENCRYPTION //* KEYS IN THIS Encryption Keyfile //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //ENCRYPT DD DSN=FDRABR.KEYFILE,DISP=(OLD,DELETE) //SYSIN DD * FORMAT RECS=1,ENABLE=ERASE /*

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Compuware FDR 5.04