UPSTREAM Data Encryption
Overview
UPSTREAM incorporates an additional-cost data encryption component that allows encryption of secondary copies of backup data sets intended for off-site transport and storage. These secondary copies are created using USTVAULT (Copying Backups with USTVAULT). The original “copy-1” backup cannot be encrypted.
You can choose from among three different encryption algorithms, as described below in Encryption Algorithms. Each algorithm is driven by an encryption key, which may be user-specified or randomly generated for each backup, allowing a unique encryption key for each. Random encryption key generation is the recommended method.
In order to restore the data from an encrypted copy of a backup, you must have the encryption key available that was used by USTVAULT to create the encrypted copy. Although you can record encryption keys manually, this is not recommended as it weakens the security of the encryption process. Instead, UPSTREAM stores the encryption keys in a special key file on disk. Whenever a restore from an encrypted backup is requested, the key file is automatically read by UPSTREAM to obtain the appropriate key. For off-site restores, such as a disaster recovery, this key file must be securely transported to the restore site. Alternatively, the keys can be manually supplied during the restore process.
UPSTREAM's encryption component also supports an optional master key, which is used to create an encrypted copy of the actual key used to encrypt the data. This encrypted key is then saved with the encrypted copy of the backup. The master key can then be used to decrypt any encrypted copy of a backup, in the event the actual keys (or the key file) is not available.
For additional security, the vault control data set created by USTVAULT, which is written to the end of a USTVAULT-created tape, can also be encrypted. The vault control data set is only encrypted if at least one of the backups being copied by USTVAULT is also encrypted.
Enabling and Configuring Data Encryption through UPSTREAM Data Encryption Recommendations describe the steps required to enable and configure UPSTREAM encryption, including a final summary of recommendations.
Encryption Algorithms
UPSTREAM's data encryption component offers the following encryption algorithms, all of which are “symmetric”, meaning that the same key is used to encrypt and decrypt the data.
All of the encryption algorithms described below are implemented in software and do not depend on any installed encryption hardware or assist. However, UPSTREAM encryption can use the AES-128 hardware assist on IBM z9-109 processors (and their successors) and the TDES hardware assist on z890, z990, and z9-109 processors (and their successors), if enabled.
UPSTREAM encryption does not use IBM ICSF encryption software for any of the algorithms. This insures that your data can be decrypted at any disaster site with any processor type and any z/OS operating system.
When creating copies of your original “copy-1” backups with USTVAULT, you may choose to do no encryption or any one of the 3 algorithms described below. Your eventual choice of encryption method depends on the sensitivity of the data, balanced with the additional CPU required for each strength of encryption, as outlined in the CPU Usage and Strength summaries at the end of each sub-section below.
AES
AES stands for Advanced Encryption Standard, which was adopted by the National Institute of Standards and Technology (NIST, a division of the US Commerce Department) in 2002, after an international competition among proposed algorithms. AES is also known as “Rijndael” after its two inventors. The AES algorithm is described in US government publication FIPS 197, and is now the official US government standard for encryption, replacing the previous DES, which was officially de-certified for US government encryption in May 2005.
UPSTREAM's encryption component supports three implementations of AES:
- AES-128 (128-bit key)
- AES-192 (192-bit key)
- AES-256 (256-bit key)
AES is an extremely secure, mathematically based, encryption algorithm. It performs repetitive transformations of the data (called “rounds”) using various applications of the key and other manipulations (including forms of substitution and transposition), to produce an encrypted version of the data that is almost impossible to decipher without the key. The algorithm is coded entirely within UPSTREAM encryption modules.
The number of rounds varies by the key length:
Key Length (bits) | Rounds |
|---|---|
128 | 10 |
192 | 12 |
256 | 14 |
IBM introduced a hardware assist (CPACF) for AES-128 on the z9-109 processor (and its successors). If this assist is enabled on your processor, UPSTREAM uses it for encryption and decryption when ENCRYPTTYPE=AES is specified. The assist does not support AES-192 or AES-256, which are implemented only in UPSTREAM encryption.
The AES-128 results produced by UPSTREAM encryption and the IBM hardware assist are identical, so you can encrypt with the hardware assist and restore (and decrypt) on a system without the assist, and vice versa.
CPU Usage
The CPU overhead increases in proportion to the number of rounds. For example, AES-192 requires 20-25% more CPU than AES-128, and AES-256 requires 40-50% more CPU than AES-128. We have made every effort to make the AES code as efficient as possible, and we believe that we are faster than most AES implementations. Utilization of the hardware assists described above also reduce CPU requirements and is recommended where available.
Strength
AES is a very strong form of encryption with no weak or semi-weak keys. Because of the increased CPU overhead of the longer keys, AES-128 should be used whenever AES encryption is needed, unless regulations require that you use AES-192 or AES-256 (such as for Secret or CA Top Secret requirements).
Cipher Block Chaining
All five of the encryption algorithms described above use a variation of “cipher block chaining”, a technique whereby the encryption of each section of data within an encrypted block uses the results of the encryption of the previous section as part of its encryption algorithm. This increases the strength of all the algorithms.
With cipher block chaining, an attacker must find the beginning of a cipher block chain before attempting a brute force attack on the encryption. This reduces the likelihood of recognizable plain text appearing when applying a key during such an attack.
Compression And Encryption
Encryption defeats the hardware compression used on most tape drives, since the encrypted data is usually not compressible. This means that encrypted copies of UPSTREAM backups could occupy 2-3 times more tape than the original unencrypted backup, as compression of encrypted data may actually increase the backup size.
However, if the data is compressed by UPSTREAM during the initial backup process (i.e. when the original “copy-1” backup is created), this reduces the amount of backup data and saves tape, not only on the original backup, but also on any resultant encrypted copy of that backup. Compression also reduces the amount of data that must be encrypted, therefore reducing CPU usage. It also increases the variety of byte values in the data, which enhances the strength of the encryption.
During the initial backup process, it is important to choose the highest level of data compression; keeping in mind that compression adds its own CPU overhead on the client-side of the backup process.
UPSTREAM automatically turns off tape hardware compression for an encrypted copy of a backup.
UPSTREAM Encryption Key Management
The foundation of secure encryption is the security of the encryption keys used. Since the UPSTREAM encryption algorithms described above are all symmetric (the same key is used for both encryption and decryption), it is essential that the keys be kept secure so that if an unauthorized person accesses your encrypted files, they do not also have access to the keys required to decrypt them. UPSTREAM uses a variety of methods to ensure key security, as described in the following sub-sections:
The UPSTREAM Encryption Key File
Disaster Recovery Considerations
Key Generation
Although you can specify the key to be used for each USTVAULT operation on a particular backup profile name, UPSTREAM's encryption component contains code to randomly generate encryption keys for you. This code is driven by the system hardware TOD clock and other system variables, using a BMC-written algorithm that provides truly random keys.
UPSTREAM does not use “pseudo” random number generators, as the “seed” used to start the sequence (often only 4 bytes) does not provide sufficient unique combinations for our needs, especially for AES keys. For example, a 4-byte seed can only generate 4.2 billion sequences, where a 16-byte generated key can have 256**16 (3.4 times 10**38) values.
When random keys are requested, a different key is generated for each encrypted copy of a backup, making it much more difficult for an unauthorized person to access your data. Even if the key of one file is determined by some sort of attack, the attack must be repeated for the next file, and the next, etc. For this reason, we recommend that you allow UPSTREAM to generate random encryption keys for you.
Key Validation
For validation purposes, UPSTREAM stores a value derived from the actual key used to encrypt a backup (similar to a checksum), in the copy of the backup itself. This value is encrypted using the actual key as an AES key.
At the beginning of a USTREGEN on an encrypted copy of a backup, or during a restore from an encrypted copy of a backup, UPSTREAM decrypts this value using the decryption key and it fails the process if the decrypted value is not as expected. Although this test is not infallible, it usually detects an USTREGEN or restore request with an improper key. The actual decryption key cannot itself be derived from this value.
The UPSTREAM Encryption Key File
Since many different encryption keys may be used for various encrypted copies of your backups, it is not practical (nor secure) to require you to constantly enter the key in order to read an encrypted backup. UPSTREAM solves this by storing all the encryption keys used by USTVAULT in a special disk-based key file.
Whenever an encrypted copy of a backup is created by USTVAULT, the encryption key used is recorded in the key file. The data is not stored in the clear, so a simple browse or print of the key file does not disclose any encryption keys.
When an encrypted copy of a backup is processed by USTREGEN, or when it is used for a restore, the key file is automatically read by UPSTREAM to get the encryption key required to decrypt the file. If you provide the actual key (or the master key - see below) on a DECRYPT statement, the key file is opened but not read.
To maintain security of your encryption, the key file must be protected by a data set profile in your security system, as described in z/OS Initiated RUN JOB Functions with SECLVL=2. Only those userids that have a need to create, back up, or restore the key file should be given authority to access it. READ authority is required to back up the key file, UPDATE is required to restore it, and ALTER is required to create it. All other users should have no authority to the key file.
Under IBM RACF, UPSTREAM itself is able to read and write to the key file, and does not require security access to it. Any UPSTREAM user who can create or restore from an encrypted copy of a backup can use the key file, but only under UPSTREAM. They cannot, for example, browse, update, or copy the key file externally.
Under other security systems, UPSTREAM users may need to be given UPDATE authority to the key file for encryption and READ authority for decryption.
The key file is created and maintained by the USTCRYFM utility (see Creating the UPSTREAM Encryption Key File (USTCRYFM)).
The z/OS data set name of the key file may be specified in one of two places:
- Via the KEYFILE keyword in the USTCRYPT DD statement input data set - see Add an USTCRYPT DD Statement to the Startup PROC.
- In the USTOPT option table module - see Setting the UPSTREAM Encryption Options
The second option is recommended, unless you are running multiple instances of UPSTREAM and you wish to have separate key files for each one.
See Disaster Recovery Considerations for notes on handling the key file in a disaster recovery.
Master Keys
In addition to the encryption keys described in Key Generation, UPSTREAM encryption also supports one or more optional “master” keys, which can be used to create an encrypted copy of the actual encryption key used to encrypt the data. This AES192-encrypted key is then saved on the USTVAULT-encrypted output, together with the encrypted copy of the backup.
During a USTREGEN operation on an encrypted backup, or during a restore from an encrypted backup, the master key can be provided, and is used to decrypt the actual key stored in the file, which itself is then used to decrypt the backup.
So, in the event that the actual key (or the key file itself) is not available during the USTREGEN or RESTORE operation, the master key can be used to allow the data to still be decrypted.
- The UPSTREAM master key facility is enabled via the MASTERKEYID=keyname keyword, which can be specified via either:
- The USTCRYPT DD statement in the UPSTREAM startup PROC (Add an USTCRYPT DD Statement to the Startup PROC)
The UPSTREAM USTOPT options table (Setting the UPSTREAM Encryption Options).
The actual master key itself (or keys - you can use more than one) may be specified in one of two places:
• By the MASTERKEY keyword on an ENCRYPT statement in the USTCRYPT DD statement in the UPSTREAM startup PROC (ENCRYPT Statement).
• Within a special FACILITY class (or equivalent) profile in your security system, which is then pointed to by the MASTERKEYID keyword on an ENCRYPT statement in the USTCRYPT DD statement in the UPSTREAM startup PROC (ENCRYPT Statement).
Of the two options above, we recommend the second, so that only individuals authorized through your security system can view or update the master key. As the master key is “the key to the kingdom” it is essential that:
- It be kept extremely secure, and known only to a few trusted individuals.
- Easily remembered keys should be avoided, as should repetitive strings and duplicated characters. This is also true for other user-specified encryption keys.
- Access to the master keys, either in printed form or from the security system FACILITY profile, should be limited to a small number of trusted individuals.
- Any printed copies of master keys should be stored securely, such as in a bank safe-deposit box.
To enhance security, you may wish to periodically change master keys; perhaps once a month or once a quarter. However, if you change your master key, remember that encrypted copies of backups that were created before the change in master key require the previous master key if you plan to restore via master key. If you periodically change master keys, the dates of those changes and the actual master keys used should be retained in a secure location.
Disaster Recovery Considerations
You need to pay special attention to the handling of the UPSTREAM encryption key file during a disaster recovery (test or real). In order to recover from encrypted copies of your backups at a DR site:
You must first transport a current copy of the key file to the recovery site:
- If this backup is on tape, you should transport it to the recovery site separately from the backups themselves. If the backup of the key file is on disk, you may be able to transmit it to the recovery site with e-mail or FTP. Once at the recovery site, you need to restore the backup of the key file, using its own unique key, before you can restore any other backups recorded in it.
- Alternatively, if you have a mechanism for securely transporting the key file directly to the recovery site, such as encrypted FTP, you can use this mechanism, but make sure that the FTP encryption is a strong algorithm, such as AES192 or above.
- Remember that if you restore the volume containing the key file as part of your recovery, this may restore a back-level version of that file, so you need to restore the key file backup again after restoring that volume to bring it up-to-date.
- Once you have the key file restored, you can run USTREGEN (see Updating the Repository) against your encrypted copies of your backups, before subsequently restoring them in the normal way, using the appropriate encryption keys extracted from the restored key file.
- If the key file is not available, or cannot be restored for any reason (or is not up to date), you can use the optional master keys to restore the backups, but only if master keys were specified during the backup process.
- If used, master keys should be stored in a secure location (such as a safe-deposit box) that can be accessed only if the key file is not available.
When you leave the disaster site, you want to be sure that all information related to your encrypted backups has been securely deleted. If you leave behind copies of your key file or your security system database containing master keys, subsequent users of the same disks may be able to access your keys, putting your backups at risk. Using z/OS commands or programs to delete the UPSTREAM key file and related security data may not fully delete the data. An ICKDSF minimal INIT, for example, does not erase any data at all, and an ICKDSF medial INIT is very slow. As an alternative, the FORMAT command of the FDRCRYFM utility (Creating the UPSTREAM Encryption Key File (USTCRYFM)) can be used to overwrite an UPSTREAM key file existing key file and then delete it.
//* WARNING: THIS JOB ERASES ALL SAVED ENCRYPTION
//* KEYS IN THIS KEY FILE
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=upstream.keyfile,DISP=(OLD,DELETE)
//SYSIN DD *
FORMAT RECS=1,ENABLE=ERASE
/*
If you restored a copy of the key file to a disk volume belonging to the DR site's starter system, you should also remember to erase that copy of the key file as well. You may want to do that while still running under the starter system, i.e. before IPLing your own system. On a wider scale, you should consider using a product such as BMC's FDRERASE to quickly and securely erase all of the z/OS disks that were used at the disaster site.
Enabling and Configuring Data Encryption
Numerous steps are required in order to enable and configure UPSTREAM data encryption. Those steps are summarized here, and are then described in more detail in the indicated sections that follow:
Add an USTCRYPT DD Statement to the Startup PROC
Setting the UPSTREAM Encryption Options
Configure the USTVAULT Profiles
Creating the UPSTREAM Encryption Key File (USTCRYFM)
UPSTREAM Data Encryption Recommendations
Add an USTCRYPT DD Statement to the Startup PROC
As described in Define the UPSTREAM Started Task PROC, UPSTREAM's z/OS startup PROC contains various DD statements that control the operation of UPSTREAM. If you are licensed for UPSTREAM's data encryption feature, you enable this option by adding an USTCRYPT DD statement to the startup PROC.
Having added the USTCRYPT DD statement to the startup PROC, you see the following message in the USTLOG when UPSTREAM starts:
Here is an example of an UPSTREAM startup PROC with a USTCRYPT DD.
//MAIN EXEC PGM=USTMAIN,DYNAMNBR=100,REGION=0M,TIME=1440
//STEPLIB DD DSN=upstream.loadlib,DISP=SHR
//USTLOG DD SYSOUT=&OUT
//USTLOG2 DD SYSOUT=&OUT
//USTCRYPT DD DSN=upstream.ustcrypt.file(member),DISP=SHR
/*
USTCRYPT DD Control Statements
The sequential file or PDS member named on the USTCRYPT DD statement can contain several statements that control certain aspects of the UPSTREAM encryption feature. A brief summary of the statements is shown below, which is then followed (in the indicated sub-sections) by the full details of those statements, together with their respective operands.
KEYFILE
(KEYFILE Statement) The KEYFILE statement specifies the data set name (and optionally the volume serial) of the UPSTREAM key file. This statement should always be the first statement in the USTCRYPT DD statement input.
ENCRYPT
(ENCRYPT Statement) One or more ENCRYPT statements can be specified in the USTCRYPT DD statement input, and it can be used for several purposes:
- With the PROFILE= operand, it can control the encryption algorithm (and optionally the encryption key) to be employed by USTVAULT when it is copying the backups belonging to a specified backup profile or profiles.
- With the MASTERKEY= operand, it can supply a master key to be used by USTVAULT when encrypting copies of backups.
- With the MASTERKEYID= operand, it can specify the suffix of a FACILITY class profile in your security system from which the master key is obtained.
DECRYPT
(DECRYPT Statement) DECRYPT statements are optionally used to supply encryption keys when running a USTREGEN against an encrypted copy of a backup, or when running an actual restore from an encrypted copy of a backup.
KEYFILE Statement
The KEYFILE statement, if present, must be the first statement in the USTCRYPT DD statement input, and specifies the data set name (and optionally the volume serial) of the UPSTREAM key file.
To ensure the most secure encryption possible, we recommend that you specify the name of the UPSTREAM key file via USTOPT (Setting the UPSTREAM Encryption Options) so that the key file name is hidden from general view.
KEYFILE Statement Syntax
KEYFILE Statement Syntax
KEYFILE | ,DSN=keyfiledsname | ,VOL=volser |
KEYFILE Statement Operands
DSN=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
The fully qualified data set name of the UPSTREAM key file that is used by USTVAULT, USTREGEN, and by UPSTREAM itself on restores from encrypted copies of backups.
Default: None; this statement is required.
VOL=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
The volume serial of the key file named by the DSN= operand, if it is not cataloged.
Default: The volser is obtained from the system catalog.
ENCRYPT Statement
An ENCRYPT statement (with PROFILE=) can be used to control the encryption algorithm (and optionally the encryption key) that is to be employed by USTVAULT when it is copying the backups belonging to a specified backup profile or profiles.
If the PROFILE= operand is omitted, the encryption level to be used, if any, is taken from the backup profile definition (Backup Profiles), which is the recommended way of specifying the encryption algorithm to be used.
A separate ENCRYPT statement (with MASTERKEY=) can be used to directly supply the master key(s) to be used by USTVAULT. We recommend, however, that you use the separate MASTERKEYID= operand to specify the suffix of a FACILITY class profile in your security system, from which the master key(s) is/are obtained (UPSTREAM Data Encryption).
You can have two ENCRYPT statements that apply to the same profile name or prefix; one with a master key specification, and the second with the other encryption operands. For example:
ENCRYPT MASTERKEY=6242A2902565FFC58140E2DD02990034ENCRYPT PROFILE=SERVER1,ENCRYPTTYPE=AESFASTENCRYPT PROFILE=SERVER2, ENCRYPTTYPE=AES256
In the above example, the ENCRYPT MASTERKEY= statement is providing the master key value to be used for all USTVAULT encryption. The other two statements are scanned in order, so AESFAST encryption is to be used for USTVAULT runs against the backups belonging to profile SERVER1, while AES256 encryption is used when creating encrypted copies of SERVER2's backups.
ENCRYPT Statement Syntax
ENCRYPT |
ENCRYPT Statement Operands
PROFILE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the backup profile name that was used to create the initial “copy1” backup that is copied and encrypted by USTVAULT. You can specify a single profile name or a profile prefix value followed by an asterisk, e.g., SERV*.
Default: PROFILE=*, which causes the ENCRYPT statement to apply to all USTVAULT operations against all backup profiles.
MASTERKEY=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the 16-byte (128-bit) AES master key to be used, in hex (exactly 32 hex digits, 0-9, A-F). A value of all zeros is invalid.
See Master Keys for a full discussion on the use of UPSTREAM master keys.
MASTERKEYID=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the suffix of a security system FACILITY class profile, from which the master key is obtained (UPSTREAM Data Encryption).
The value of MASTERKEYID= is 1 to 8 alphanumeric characters, and it is appended to “USTCRYPT.” to form the profile name.
For example, MASTERKEYID=ABC looks for profile USTCRYPT.ABC in class FACILITY in your security system. The master key is obtained from the “application data” field of that profile.
If neither MASTERKEYID= nor MASTERKEY= are specified, then no master key is used when USTVAULT encrypts copies of your backups. If the actual key used for the encryption (or the key file) is not available, there is no way to restore from these encrypted copies of your backups.
ENCRYPTTYPE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the encryption algorithm to be used by USTVAULT; see Encryption Algorithmsfor a full description of the various encryption algorithms supported by UPSTREAM.
If ENCRYPTTYPE is not specified here, UPSTREAM defaults to the value specified on the ENCRYPTV option in the backup profile definition (Backup Profiles), which is the BMC recommended way of specifying the encryption algorithm.
If the encryption value is specified in both places, the value in the backup profile definition is used.
AESKEY=#
AK=
If any of the AES algorithms have been coded on the ENCRYPTTYPE parameter (or in the backup profile), AESKEY specifies the AES key to be used for the encryption.
The US government specifications for AES state that there are no weak keys in AES, but we recommend that you avoid repetitive strings or many duplicate characters.
Specify the key as hex digits (0-9, A-F).
- For AES192 - provide exactly 48 hex digits (192 bits)
- AES256 - provide exactly 64 hex digits (256 bits)
The key must be specified on a single statement and cannot extend past column 71. If necessary, use the short operand form (AK=) and the short statement form of ENCRYPT (EC).If AESKEY is omitted, or if a key of all zeros is specified, a key is randomly generated by UPSTREAM. For the strongest possible encryption, we recommend that you omit AESKEY= and let UPSTREAM generate the AES key for you.
PRINTKEY=#
Controls whether the AES key used for each backup profile name is displayed in the UPSTREAM USTLOG listing.
YES
Keys are displayed, allowing the printed listing to serve as a backup for the key file.
NO
Keys are not displayed in the log.
Default: NO.
DECRYPT Statement
DECRYPT statements can be optionally used to supply the decryption key when running a USTREGEN against an encrypted copy of a backup, or when running an actual restore from an encrypted copy of a backup. Note, however, DECRYPT statements are not normally required if the UPSTREAM key file is available, as the decryption keys are usually obtained automatically from there.
On each DECRYPT statement, the PROFILE= operand specifies the backup profile name affected by this statement. For example:
DECRYPT PROFILE=SERVER6,AESKEY=89AB20C1E2973167058432A04BF938D2DECRYPT PROFILE=SERVER7,AESKEY=258911ABFE44C291B802FF0089EF1191
In the above example, the AESKEY value is used for decrypting encrypted copies of backups taken under the profile name of SERVER6, while the specified AES encryption key is used to decrypt copies of backups taken under the profile name of SERVER7.
UPSTREAM automatically determines the actual encryption type used for each encrypted copy of a backup that is processed. If you opt for providing decryption keys using DECRYPT statements, you must specify the proper type of AESKEY to match the encryption type that was used to encrypt the copy of the backup.
There is no equivalent to the PRINTKEY= operand (on the ENCRYPT statement). All keys coded on DECRYPT statements are obscured before appearing in the UPSTREAM USTLOG listing.
A separate DECRYPT statement can be coded with the MASTERKEY= operand, in which case that master key is used instead of any decryption keys specified for individual profile names on other DECRYPT statements. In other words, the master key is always used if specified, ignoring all other keys. We recommend, however, that you only specify the master key on a DECRYPT statement if the UPSTREAM key file is not available or has been back-dated.
DECRYPT Statement Syntax
DECRYPT | PROFILE=profilename ,MASTERKEY=masterkey | ,AESKEY=aeskey |
DECRYPT Statement Operands
PROFILE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the backup profile name that was used to create the initial “copy1” backup. You can specify a single profile name or a profile prefix value followed by an asterisk, e.g., SERV*.
Default: PROFILE=*, which causes the DECRYPT statement to apply to all decryption operations against all backup profiles.
MASTERKEY=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the 16-byte (128-bit) AES master key to be used, in hex (exactly 32 hex digits, 0-9, A-F). This can only be used if a master key was used during the encryption of the backup now being restored or REGENd. See Master Keys for a full discussion on the use of UPSTREAM master keys.
AESKEY=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
AK=
Specifies the AES key as hex digits (0-9, A-F) to be used for decryption, if the backup data set now being decrypted was encrypted with any of the AES encryption types.
- For AES192 - provide exactly 48 hex digits (192 bits)
- For AES256 - provide exactly 64 hex digits (256 bits)
The key must be specified on a single statement and cannot extend past column 71. If necessary, use the short operand form (AK=) and the short statement form of DECRYPT (DC).
There is no need to specify AESKEY if the UPSTREAM key file is available. AESKEY is ignored if MASTERKEY= is specified.
Additional Notes
Please note the following points if you decide to use DECRYPT statements in your USTCRYPT DD:
• Only one of the 3 “key” parameters can be specified on a single DECRYPT statement.
• If a DECRYPT statement with MASTERKEY= matches the profile of the encrypted backup being processed, that master key is used to recover the actual key (which is encrypted on the backup itself) and any other key operands are ignored. The backup must have been encrypted with the specified master key.
• If no DECRYPT statement can be found to match the profile of the encrypted backup being processed, the key is read from the UPSTREAM key file (if available).
Setting the UPSTREAM Encryption Options
UPSTREAM uses an internal table called USTOPT to contain many operating options for the product. The main controls for UPSTREAM would have been set in this table when you did the initial installation of the product (Define Optional VTAM System Resources, Step 14). Other UPSTREAM facilities, such as Registered Names (Registered Name Service) and the USTSCHED Scheduler (UPSTREAM Scheduler) also have control options that are recorded in the options table.
The UPSTREAM data encryption feature has two control options which can be recorded in the table:
KEYFILE
The name of the key file.
MASTERKEYID
The master key RACF resource name suffix.
There are two ways that these options can be set, as described in the subsections below:
• Through the UPSTREAM TSO/ISPF dialog
(see Using the TSO/ISPF Dialog)
• Using the USTZAPOP batch facility
(see Using USTZAPOP)
The KEYFILE and MASTERKEYID controls can also be set in the USTCRYPT DD (USTCRYPT DD Control Statements). However, to ensure optimum security on your encryption, and to keep these options well hidden from general view, we recommend that you set them through one of the two methods described below. Use the USTCRYPT DD statement only if you are running multiple instances of UPSTREAM in the same z/OS system and you wish to use a separate key file and/or MASTERKEYID value for each one.
Using the TSO/ISPF Dialog
The UPSTREAM encryption options can be maintained through the UPSTREAM TSO/ISPF dialog. Select option 12 (“USTCRYPT”) and press ENTER.
UPSTREAM TSO/ISPF Dialog
-------------------------------- UPSTREAM -------------------- |
After supplying the name of the UPSTREAM load library where your options table is stored, you see the following screen, where you can set the two UPSTREAM encryption options. Enter SAVE to save the values and store the updated table. You must then use the following z/OS MODIFY command (z/OS MODIFY) to cause the UPSTREAM started task to reload the USTCRYPT options:
UPSTREAM - USTCRYPT Options
------------------ UPSTREAM - USTCRYPT Options ---------------------- |
Using USTZAPOP
As an alternative to setting the UPSTREAM encryption options via the TSO/ISPF dialog, you can use the USTZAPOP batch utility. Here is an example:
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
ZAP KEYFILE=key.file.dsname
ZAP MASTERKEYID=qualifier
/*
The UPSTREAM Installation Control Library (ICL), which would have been created during the main installation of the product (Installation and Configuration) contains a sample member CRYZAPKF, which has an example of running USTZAPOP to set the name of the key file.
Configure the Backup Profiles
The main controlling mechanism for an UPSTREAM backup is the backup profile, in which you set various options such as the retention of the backup, the media to be used for the backup, and whether or not it is eligible for merge backup processing. See Backup Profiles for a full description on how to create and maintain your UPSTREAM backup profiles.
To enable encryption for a profile, the ENCRYPTV option must be set in each backup profile for which encryption is used in that Vault copy process.
The menu below displays an edited view of the configuration of a backup profile called TEST, in which the “Other Options” section is being displayed. You'll find this section at the very bottom of a backup profile configuration.
As you can see, we have enabled USTVAULT encryption for this backup profile, and we have requested AES128 encryption be used. You may chose from any of the algorithms supported. See Encryption Algorithms for a full list and description of the encryption types supported by UPSTREAM.
Specifying the encryption level here in the backup profile (which is highly recommended) overrides any ENCRYPT statements that refer to this profile in the USTCRYPT DD statement input in the UPSTREAM startup PROC (Add an USTCRYPT DD Statement to the Startup PROC).
Notice also that this backup profile is enabled for USTVAULT processing (via the VAULT option), which is a prerequisite for UPSTREAM USTVAULT encryption. See Copying Backups with USTVAULT for full details on configuring USTVAULT processing.
UPSTREAM - Configure Profile
--------------------- UPSTREAM - Configure Profile ----------------------- |
Once you have set the ENCRYPTV option, type “SAVE” on the command line and press the ENTER key.
Before an updated backup profile can be used, the configuration must be reloaded by the UPSTREAM started task, using the “REFRESH” command. See Controlling Multiple UPSTREAM Started Tasks for more details.
Configure the USTVAULT Profiles
USTVAULT is the UPSTREAM utility for creating additional copies of your original “copy 1” backups. The main controlling mechanism for USTVAULT processing is one or more USTVLTxx profiles, in which you set various options such as the name of the copied backup, the retention of the copy, and the media to be used to hold the copied backup. See USTVLTxx Profile Parameters for a full description on how to create and maintain your USTVLTxx profiles.
If you are licensed for the UPSTREAM encryption option, and if you want to use encryption when copying some/all of your backups with USTVAULT, you have set the ENCRYPTV option in each backup profile for which encryption is used in that copy process, as described in Configure the Backup Profiles.
For additional strength of encryption, you may also want to consider encrypting the USTVAULT control data set, which is written as the last file on a USTVAULT-created tape.
As shown below, the ENCRYPTV option in a USTVLTxx profile causes the vault control file data set to be encrypted just prior to the point that it is moved to the output tape. This only occurs if you are licensed for UPSTREAM encryption, and if one or more of the backups vaulted by USTVAULT has been encrypted. If no encrypted backups are on this vault copy, the ENCRYPTV option is ignored and the vault control data set is not encrypted.
The menu below displays an edited view of the configuration of a USTVLT profile called USTVLT01, in which the “Other Options” section is being displayed. You find this section at the very bottom of an USTVLTxx profile configuration.
As you can see, we have requested that AES128 encryption be used to encrypt the USTVAULT control data set. You may chose from any of the five algorithms supported by UPSTREAM. See Encryption Algorithms for a full list and description of encryption types.
UPSTREAM - Configure Profile
--------------------- UPSTREAM - Configure Profile ----------------------- DASDBLK.. ===> (Blocksize for vault control file) |
Once you have set the ENCRYPTV option, type “SAVE” on the command line and press the ENTER key.
Before a new USTVLTxx profile can be used the configuration must be reloaded by the UPSTREAM started task, using the “REFRESH” command. See Controlling Multiple UPSTREAM Started Tasks for more details.
Creating the UPSTREAM Encryption Key File (USTCRYFM)
Before you read this section, please review the following sections:
- UPSTREAM Encryption Key Management, which describes the role of UPSTREAM's encryption key file and the process of generating and maintaining UPSTREAM encryption keys.
- UPSTREAM Data Encryption, which contains information on the security requirements for the UPSTREAM key file.
In this section, we look at the USTCRYFM utility, which can be used for a number of management tasks on the UPSTREAM encryption key file. A summary of the commands is shown below, with full details in the sub-sections shown.
FORMAT
(FORMAT Statement) Pre-formats an UPSTREAM encryption key file.
DUMP
(DUMP Statement) Creates a formatted backup copy of the UPSTREAM encryption key file. The backup can only be restored by the RESTORE command.
RESTORE
(RESTORE Statement). Creates a new key file from the contents of a backup previously created by the DUMP function.
DELETE and RESET
(DELETE and RESET Statements). DELETE can be used to mark for deletion one or more records in the UPSTREAM encryption key file. The deletion does not actually take place until the REORG function is run. The RESET function can be used to remove a deletion flag from a record, which has been previously set by the DELETE function.
REORG
(REORG Statement). Takes a backup of the key file (similar to the DUMP function) and then re-loads the key file (similar to RESTORE), dropping any records marked for deletion by the DELETE function.
REPORT
(REPORT Statement). Reports details of the encrypted copies of backups that have been created by USTVAULT and are recorded in the key file. The actual encryption keys themselves are not printed unless the user running the REPORT function has been granted UDPATE authority to the key file.
USTCRYFM JCL Parameters describes the JCL statements required to run USTCRYFM, and USTCRYFM JCL Examples contains several illustrative examples of running USTCRYFM.
FORMAT Statement
The FORMAT statement pre-formats the UPSTREAM encryption key file. A FORMAT must be run against the key file before it can start to record the encrypted copies of your backups created by USTVAULT.
FORMAT Statement Syntax
FORMAT | B=n ,ENABLE=([DYNALLOC],[ERASE],[RESERVE[) ,RECS=nnnnnnn | |
FORMAT Statement Operands
B=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
n
Specifies the number of blocks to be placed on each track, from 2 through 5. USTCRYFM automatically calculates the best blocksize for this device type.
Default: 2 (half-track blocking).
RECS=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnnnn
Specifies the minimum number of backup entries that are formatted on the key file. The highest value that can be specified varies with the disk device type, the blocking factor, and the size of the file. With the default blocking factor B=2, the file can contain a maximum of 131070 blocks, which requires 65535 tracks. If the file is on a 3390 disk, this is a maximum of RECS=22806180. Sufficient space must be allocated to the file to contain the required number of entries, otherwise FORMAT fails.
If SPACE= does not include the RLSE operand (or SPACE= is omitted for an existing file), then USTCRYFM formats all tracks of the initial allocation. If this is insufficient to hold the required number of records and a secondary allocation quantity was specified in SPACE=, USTCRYFM takes secondary allocations until the space is sufficient, and formats all of the secondary tracks.
So, in summary, FORMAT formats all tracks allocated to the key file, with a guaranteed minimum capacity specified by RECS=.
ENABLE=
Controls the options that are enabled for this FORMAT operation. Multiple options are allowed and must be enclosed in parentheses and separated by commas.
DYNALLOC
If the ENCRYPT DD statement is omitted, dynamically allocates the key file specified in the UPSTREAM configuration (Setting the UPSTREAM Encryption Options).
ERASE
Allows an existing, formatted key file to be reformatted. This removes all encryption keys previously recorded in that file. This is usually only appropriate when erasing a key file following a disaster recovery test. By default, FORMAT can only be run against a newly allocated control file.
RESERVE
Protects the formatting with a RESERVE against the volume where the key file resides.
DUMP Statement
The DUMP statement causes a formatted backup copy of the key file to be created. This backup can only be restored by the RESTORE statement of USTCRYFM.
The backup created by DUMP is not encrypted, but data in the key file is not stored in the clear, so encryption keys cannot be extracted by browsing the backup.
The USTCRYFM JCL must include a TAPE1 DD statement to specify the backup data set.
A combination of the DUMP and RESTORE statements can be used to move the key file from one device to another (even across unlike devices like 3380 to 3390). They can also be used to change the size and/or blocking factor of the key file.
The FDRCOPY and FDRDSF members of BMC's FDR DASD Management System can also be used to move the key file from one disk to another, but they do not expand or re-block the key file.
DUMP Statement Syntax
DUMP | ||
DUMP Statement Operands
DUMPDEVICE=#
Specifies the device type that is to be used as a DUMP medium.
DISK
Allows the backup data set to be placed on either disk or tape devices.
TAPE
Restricts the backup data set to tape devices only.
Default: TAPE.
DISABLE=#
ENABLE=#
The options specified are disabled or enabled for this DUMP operation. Multiple options are allowed and must be enclosed in parentheses and separated by commas.
DYNALLOC
If the ENCRYPT DD statement is omitted, dynamically allocates the key file specified in the UPSTREAM configuration (Setting the UPSTREAM Encryption Options)
RESERVE
Protects the key file with a RESERVE against the volume on which it resides.
RESTORE Statement
The RESTORE statement creates a key file from a backup copy previously created by BACKUP. The USTCRYFM JCL must include a TAPE1 DD statement to specify the backup data set.
If the data set that USTCRYFM is restoring is newly allocated, it does not have to be pre-initialized with the FORMAT statement because the RESTORE operation includes the formatting functions of FORMAT.
If the data set that USTCRYFM is restoring to is already allocated, RESTORE completely replaces the contents of that file. All encrypted backups and keys previously recorded in that file are lost. To protect you, USTCRYFM only allows a restore to a previously formatted key file if ENABLE=ERASE is specified.
A combination of the DUMP and RESTORE statements can be used to move the key file from one device to another (even across unlike devices like 3380 to 3390). They can also be used to change the size and/or blocking factor of the key file.
The FDRCOPY and FDRDSF members of BMC's FDR DASD Management System can also be used to move the key file from one disk to another, but they do not expand or re-block the key file.
RESTORE Statement Syntax
RESTORE | B=n ,DUMPDEVICE=[DISK|TAPE] ,DISABLE=([DYNALLOC],[ERASE],[RESERVE]) ,ENABLE=([DYNALLOC],[ERASE],[RESERVE]) ,RECS=nnnnnnn | |
RESTORE Statement Operands
B=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
n
Specifies the number of blocks to be placed on each track, from 2 through 5. USTCRYFM automatically calculates the best blocksize for this device type.
Default: 2 (half-track blocking).
DUMPDEVICE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the device type that is to be used as a RESTORE medium.
DISK
Reads the backup from either disk or tape.
TAPE
Reads the backup from tape devices only.
Default: TAPE.
DISABLE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
ENABLE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
The options specified are disabled or enabled for this RESTORE operation. Multiple options are allowed and must be enclosed in parentheses and separated by commas.
DYNALLOC
If the ENCRYPT DD statement is omitted, dynamically allocates the key file specified in the UPSTREAM configuration (Setting the UPSTREAM Encryption Options)
ERASE
Allows an existing, formatted key file to be reformatted. This removes all encryption keys previously recorded in that file. This is usually only appropriate when erasing a key file following a disaster recovery test. By default, FORMAT can only be run against a newly allocated control file.
RESERVE
Protects the formatting with a RESERVE against the volume containing the key file.
RECS=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnnnn
Specifies the minimum number of key entries that are formatted during the restore of the key file. See RECS= for more details. The default is the number of records that were formatted during the DUMP of the key file, or 2000, whichever is the larger.
DELETE and RESET Statements
The DELETE statement is used to mark records within the key file for deletion. The statement may appear more than once in the control statement input if you need to delete records based on several sets of criteria. The actual deletion does not take place until the next reorganization of the key file with the REORG statement.
The RESET statement is used to reset the delete flag in key file records previously marked by a DELETE statement. The RESET statement may appear more than once in the control statement input if you need to reset records based on several sets of criteria. RESET must be executed before the next REORG of the key file, since REORG may physically delete records marked for deletion. Note that REORG creates a backup of the key file, so if you save that backup and then later discover that you need records that were deleted, you may be able to recover them from the backup.
Operands of DELETE and RESET that have numeric values (such as BKDATE and BKDAYS) accept comparison operators in addition to a simple equal “=”. The operators are:
- = or .EQ. - Equal
- ^= or .NE. - Not Equal
- < or .LT. - Less Than
- > or .GT. - Greater Than
- <= or .LE. - Less Than or Equal
- >= or .GE. - Greater Than or Equal
In most cases, you may also specify an operand more than once, such as the following to select a range of values: BKDAYS>5,BKDAYS<20
Other operands only accept equal (= or .EQ.) or not equal ( = or .NE.).
A record must meet all of the selection criteria specified to be marked or reset for deletion.
DELETE and RESET Statements Syntax
DELETE RESET | ,ENCRYPTIONTYPE=AES128| ,FLAGS=(MASTERKEYAPPLIED| ,VOL=volspec |
DELETE and RESET Statements Operands
BKDATE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies that encrypted copies of backups created on this date by USTVAULT are marked for deletion or reset. This is a Julian date, which may be in the form “yyyyddd” (e.g. 2006123) or “yyddd” (e.g. 06123). For improved readability, a period may be inserted between the year and day (e.g. 2006.123).
BKDAYS=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnn
Specifies that encrypted copies of backups created “nnnnn” days ago by USTVAULT are marked for deletion or reset. Values of 0 to 32000 are accepted.
BKDSNAME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the dsname(s) of one or more encrypted copies of backups that are to be marked for deletion or reset. Multiple names may be specified in parentheses, separated by commas.
BKFILESEQ=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnn
Specifies a tape file sequence number (1 to 4095) of an encrypted copy of a backup that is to be marked for deletion or reset.
BKTIME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
hhmmss
Specifies that encrypted copies of backups created by USTVAULT at “hhmmss” are to be marked for deletion or reset.
BKVOLUME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies that encrypted copies of backups created by USTVAULT, whose first volume matches the BKVOLUME serial or serial mask, are marked for deletion or reset (e.g. BKVOLUME=0033##).
ENCRYPTIONTYPE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the encryption type used by USTVAULT when the copy of the backup was created. Only copies of backups matching this encryption type are marked for deletion or reset.
AES128
AES192
AES256
FLhttps://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies one or more flags which must all be on in the key file record in order for it to be marked for deletion or reset. Multiple flags must be enclosed in parentheses and separated by commas.
MASTERKEYAPPLIED
A master key was used when this backup was encrypted.
DELETE
This backup is flagged for deletion.
GENERATEDKEY
The key used in this backup was generated by UPSTREAM.
TAPEFILE
This backup is on tape (otherwise it is on disk).
REAL
SIMULATE
SIMULATE causes the DELETE or RESET statement to operate in simulation mode, so that you can verify that the parameters you specified return the correct results. No records in the key file are updated. REAL makes the desired modifications in the selected records.
Default: REAL.
VOL=
volspec
Specifies the volume serial or mask (e.g., VOL=123*) of the original disk from which the backup was created, which was then copied and encrypted by USTVAULT. Only the encrypted copies of backups taken from that volser/mask are marked for delete or reset.
REORG Statement
The REORG statement takes a backup of the key file (similar to DUMP), writing it to the file specified by the TAPE1 DD statement in the USTCRYFM JCL. It then reloads the key file from that backup, dropping obsolete records.
Although the TAPE1 DD statement can specify a temporary data set, we recommend that it be a permanent data set for backup purposes and to protect against a failure during the reload.
There are three options that control removal of obsolete entries during the reload. None of them are enabled by default, so you must specify at least one for the REORG to have any meaning:
DELETE=PURGE
To purge entries marked by a DELETE statement
ENABLE=NULLFILE
To purge entries where the output file was DUMMY (DSN=NULLFILE)
ENABLE=IFNOTCURRENT
To purge uncataloged encrypted copies of your backups on disk and copies of encrypted backups on tape which are no longer recorded in your tape management system.
The key file does not need frequent reorganization, unless you frequently create lots of encrypted copies of your backups. In most situations, a monthly REORG of the key file is sufficient.
REORG Statement Syntax
REORG Statement Syntax
REORG |
REORG Statement Operands
CNTRESV=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nn
Specifies the number of key file blocks (1 to 99) to be processed before releasing and reacquiring the RESERVE on the volume containing the key file (if ENABLE=RESERVE is in effect).
Default: 10.
DELETE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies whether entries marked for deletion by a previous DELETE statement (in this step or a previous USTCRYFM step) should be removed:
IGNORE
Ignore the delete flag (entries may still be removed for other reasons)
RETAIN
Retain all entries with the delete flag on, even if they are selected for other reasons
PURGE
Remove all entries with the delete flag on
Default: IGNORE, so DELETE=PURGE must be specified to remove entries marked by a previous DELETE statement.
DISABLE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
ENABLE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
The options specified are disabled or enabled for this REORG operation. Multiple options are enclosed in parentheses and separated by commas.
DYNALLOC
If the ENCRYPT DD statement is omitted, dynamically allocates the key file specified in the UPSTREAM configuration (Setting the UPSTREAM Encryption Options).
IFNOTCURRENT
Removes all key file entries for which the corresponding encrypted backup no longer exists. For a backup on disk, the key file entry is removed if the backup is no longer cataloged in an z/OS catalog. For a backup on tape, the key file entry is removed if the backup is no longer recorded in the tape management system.
NULLFILE
Removes key file entries whose corresponding backup was DUMMY (DSN=NULLFILE); these are usually tests.
RESERVE
Protects the REORG with a RESERVE against the volume on which the key file resides (see also CNTRESV=).
Default: All options are disabled by default, except RESERVE, which is enabled by default.
DUMPDEVICE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the device type that is eligible to be used as a backup medium during the REORG operation.
DISK allows the backup data set to be placed on either disk or tape devices, while TAPE restricts the backup data set to tape devices only.
Default: TAPE.
LOG
NOLOG
Specifies whether the key file entries being dropped by the REORG operation are listed.
Default: LOG.
SIMULATE
Specifies whether the REORG operation is simulated. If specified, all processing is done and all entries selected for removal are displayed (if LOG is in effect) but the key file is not updated. By default, the key file is updated and entries are actually removed.
SIMULATE is recommended to first verify that only the expected records are removed. Once a record is removed from the key file you can only restore from that encrypted backup by explicitly specifying the actual key or master key of the backup.
REPORT Statement
The REPORT statement prints details of selected key file records. The ENCRYPT DD statement in the USTCRYFM JCL points to the UPSTREAM encryption key file.
The encryption keys themselves are not displayed unless the user executing the program has UPDATE authority to the key file in your security system (UPSTREAM Data Encryption). If the key file is not protected by a data set profile in your security system, you are able to report on it, but keys are never displayed.
Operands of REPORT that have numeric values (such as BKDATE and BKDAYS) accept comparison operators in addition to a simple equal “=”. The operators are:
• = or .EQ. - Equal
• ^= or .NE. - Not Equal
• < or .LT. - Less Than
• > or .GT. - Greater Than
• <= or .LE. - Less Than or Equal
• >= or .GE. - Greater Than or Equal
In most cases, you may also specify an operand more than once, such as the following to select a range of values: BKDAYS>5,BKDAYS<20
Other operands only accept equal (= or .EQ.) or not equal ( = or .NE.).
A record must meet all of the selection criteria specified to be displayed.
REPORT Statement Syntax
REPORT |
REPORT Statement Operands
BKDATE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies that encrypted copies of backups created on this date by USTVAULT are reported. This is a Julian date, which may be in the form “yyyyddd” (e.g. 2006123) or “yyddd” (e.g. 06123). For improved readability, a period may be inserted between the year and day (e.g. 2006.123).
BKDAYS=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnn
Specifies that encrypted copies of backups created “nnnnn” days ago by USTVAULT are reported. Values of 0 to 32000 are accepted.
BKDSNAME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the dsname(s) of one or more encrypted copies of backups that are to be reported. Multiple names may be specified in parentheses, separated by commas.
BKFILESEQ=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
nnnnn
Specifies a tape file sequence number (1 to 4095) of an encrypted copy of a backup that is to be reported.
BKTIME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
hhmmss
Specifies that encrypted copies of backups created by USTVAULT at “hhmmss” are to be reported.
BKVOLUME=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies that encrypted copies of backups created by USTVAULT, whose first volume matches the BKVOLUME serial or serial mask, are reported (e.g. BKVOLUME=0033##).
ENCRYPTIONTYPE=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the encryption type used by USTVAULT when the copy of the backup was created. Only copies of backups matching this encryption type is reported.
AES128
AES192
AES256
FLAGS=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies one or more flags that must all be on in the key file record in order for it to be reported. Multiple flags must be enclosed in parentheses and separated by commas.
MASTERKEYAPPLIED
A master key was used when this backup was encrypted.
DELETE
This backup is flagged for deletion.
GENERATEDKEY
The key used in this backup was generated by UPSTREAM TAPEFILE - This backup is on tape (otherwise it is on disk).
VOL=https://docs.bmc.com/docs/pages/createpage.action?useDraft=true&spaceKey=upstreammaster&draftId=1028463442&draftShareId=67d8649e-b35f-42bb-b6cb-116f47f43da3&&&fromPageId=1007066429&resume=false&targetVersionId=7F00000101790D1DC00BBE366E5961B4&isEnabledToChangePageType=true&scrollPageId=7F000001017B34B723AA9101778AC97D
Specifies the volume serial or mask (e.g., VOL=123*) of the original disk from which the backup was created, which was then copied and encrypted by USTVAULT. Only the encrypted copies of backups taken from that volser/mask are reported.
USTCRYFM JCL Parameters
These are the JCL parameters required to execute USTCRYFM. Full JCL examples of USTCRYFM jobs can be found in USTCRYFM JCL Examples.
EXEC Statement
Must specify PGM=USTCRYFM, and should also specify REGION=0M to make the maximum region available.
If a PARM field is specified, USTCRYFM uses the data specified as the first control statement, which must be a valid USTCRYFM statement. For example:
JOBLIB or STEPLIB Statement
If the UPSTREAM load library has not been placed in the system linklist, this DD statement is required to point to the load library. This must be an APF authorized library.
SYSUDUMP DD Statement
Recommended in all USTCRYFM jobs in order to diagnose more easily error conditions that make USTCRYFM abend.
ENCRYPT DD Statement
This DD statement specifies the USTCRYPT key file to be processed. It must be on disk. No DCB parameters should be specified, but you may want to specify DSORG=PS so that the key file is marked as a sequential data set instead of the default of DA.
If creating a new key file, a SPACE= parameter with secondary allocation and RLSE are supported and highly recommended. Estimate the number of encrypted backups that need to be recorded and calculate the tracks required (based on a figure of 348 backups per 3390 track).
The key file does not take secondary allocations once it has been formatted.
TAPE1 DD Statement
Required only for the DUMP, RESTORE, and REORG functions, and specifies the file to be used for the backup copy of the key file. It must point to a tape device unless the DUMPDEVICE=DISK operand is specified.
Although the TAPE1 DD statement can point to a temporary data set for a REORG operation, it is recommended that you always make it a permanent data set and retain it for some time after the REORG, in case required records are inadvertently removed by the REORG.
SYSIN DD Statement
Specifies the control statement data set. Usually a DD * data set or control card PDS member.
USTCRYFM JCL Examples
This section contains several examples of using USTCRYFM. To make the examples clearer, the key file data set name includes the word KEYFILE, but we recommend that to enhance security you should use a name that does not suggest that it contains encryption keys.
FORMAT a Key File Example
This example allocates a key file and formats it using the default of half-track blocking. On a 3390 (348 records/track), 500,000 records require 95 cylinders, so USTCRYFM formats the entire primary allocation of 100 cylinders.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,UNIT=DISK,DISP=(,CATLG),
// SPACE=(CYL,(100,10)),DSORG=PS
//SYSIN DD *
FORMAT RECS=500000
/*
FORMAT a Key File (with RLSE) Example
This example allocates a key file and formats it using quarter-track blocking. On a 3390 (348 records/track), 300,000 records require 58 cylinders. Since RLSE is specified, USTCRYFM formats that many cylinders and releases the remainder.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,UNIT=DISK,DISP=(,CATLG),
// SPACE=(CYL,300,RLSE),DSORG=PS
//SYSIN DD *
FORMAT RECS=300000,B=4
/*
BACKUP a Key File Example
This example DUMPs a key file to a sequential backup data set on tape. The backup file is a GDG.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,DISP=SHR
//TAPE1 DD DSN=UPSTREAM.KEYFILE.BACKUP(+1),DISP=(,CATLG),
// UNIT=CART,EXPDT=99000
//SYSIN DD *
DUMP
/*
RESTORE a Key File Example
This example creates a new key file and restores data to it from a backup created by a previous DUMP.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,UNIT=DISK,DISP=(,CATLG),
// SPACE=(CYL,(100,10)),DSORG=PS
//TAPE1 DD DSN=UPSTREAM.KEYFILE.BACKUP(0),DISP=SHR
//SYSIN DD *
RESTORE
/*
REORG a Key File Example
This example REORGs a key file. It backs up the key file to the TAPE1 DD (a disk file), then reloads it from that backup, removing all records for disk backups that are no longer cataloged and tape backups that are no longer recorded in your tape management system (IBM DFSMSrmm or CA 1® Tape Management).
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,DISP=SHR
//TAPE1 DD DSN=UPSTREAM.KEYFILE.BACKUP(+1),DISP=(,CATLG),
// UNIT=DISK,SPACE=(CYL,(50,10),RLSE)
//SYSIN DD *
REORG DUMPDEVICE=DISK,ENABLE=IFNOTCURRENT
/*
REPORT a Key File (Full) Example
This example reports on all the records currently in the key file.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,DISP=SHR
//SYSIN DD *
REPORT
/*
REPORT a Key File (Selective) Example
This example reports on selected records from the key file - records for encrypted copies of backups created by USTVAULT in the last week, and where AES128 encryption was used.
//STEPLIB DD DISP=SHR,DSN=upstream.loadlib
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//ENCRYPT DD DSN=UPSTREAM.KEYFILE,DISP=SHR
//SYSIN DD *
REPORT ENCRYPTIONTYPE=AES128,BKDAYS<8
/*
Sample USTCRYFM REPORT
Here is a sample of the report generated by the REPORT function of USTCRYFM. The keys are displayed only if the user has UPDATE authority to the key file data set.
VOLSER/ BACKUP BACKUP ENCRYPTION FIRST FILE
PROFILE DATE TIME FLAGS TYPE ENCRYPTION KEY BK VOL SEQ ORIGINAL BKUP DATA SET NAME
-------- ---- ---- ----- ------ -------------- ------ ----- ---------------------------
WIN2K8SV 2011.209 15.02.46 TGU AESFAS ******************************** CCR620 4 UPSTREAM.WIN2K8SV.COPYI2.
D110702.T122330
WIN2K8SV 2011.209 15.02.45 TGU AESFAS ******************************** CCR620 3 UPSTREAM.WIN2K8SV.COPYI2.
D110702.T122705
WIN2K8SV 2011.209 15.01.05 TGU AESFAS ******************************** CCR619 2 UPSTREAM.WIN2K8SV.COPYI2.
D110728.T113233
ZVMINST1 2011.165 17.59.59 TGU SUBST ******************************** CCR604 2 PROD.ZVMINST1.COPYF2.G0025V00
ZVMINST1 2011.165 17.04.54 TGU SUBST ******************************** CCR601 2 PROD.ZVMINST1.COPYF2.G0024V00
ZVMINST1 2011.088 14.11.13 TGU SUBST ******************************** CCR603 2 PROD.ZVMINST1.COPYF2.G0023V00
FDR478 6 RECORDS PRINTED FROM ENCRYPT CONTROL FILE
FDR675 CONTROL FILE CONTAINS 6 ACTIVE RECORDS
FDR492 REPORT SERVICE FUNCTION ENDED - 15.54.42 - CONDITION CODE 000
FDR499 USTCRYFM (03.09.04 ) PROCESSING COMPLETED
The meaning of the FLAGS field is:
• M - a master key was used when this backup was encrypted
• G - the specific encryption key was generated by UPSTREAM
• T - this backup is on tape (otherwise it is on disk)
• D - this key record is marked for deletion
• U - data set created by UPSTREAM
USTCRYFM ICL Members
The UPSTREAM Installation Control Library (ICL), which would have been created during the main installation of the product (Chapter 3 “Installation and Configuration”) contains sample members to help you with the formatting and maintenance of the key file using USTCRYFM, as follows:
• CRYBACKP - Sample USTCRYFM to backup a key file to a tape GDG.
• CRYFRMT - Sample USTCRYFM to format a key file
• CRYPRINT - Sample USTCRYFM key file report for a particular backup profile name.
• CRYPRIN2 - Sample USTCRYFM key file report for all profiles.
• CRYREORG - Sample USTCRYFM to reorg a key file using a GDG backup.
UPSTREAM Data Encryption Recommendations
The following is a list of BMC recommendations for the implementation of the UPSTREAM data encryption feature.
Before choosing the encryption algorithm(s) to be used by USTVAULT, take time to review the description of all encryption algorithms available under UPSTREAM (Encryption Algorithms), being careful to balance the strength of the encryption with the increased CPU requirement.
• Before implementing encryption on a given backup profile, run a “first time full” backup with the highest level of compression (“COMPRESSLEVEL 4”). Use the same level of compression for all subsequent backups taken under that backup profile. This ensures the optimum tape utilization when you create the encrypted “copy-2” backups with USTVAULT, as it avoids the “expansion” of the data when USTVAULT encrypts the data blocks before writing them to the output tape.
• Use the ENCRYPTV option in the backup profile (Backup Profiles) to enable USTVAULT encryption for a given backup profile, in preference to the ENCRYPT statement in your USTCRYPT DD.
• For additional strength of encryption, use the ENCRYPTV option in your USTVLTxx profiles (Data Encryption) to specify encryption of the vault control data set.
• Use the KEYFILE option in the UPSTREAM options table (Setting the UPSTREAM Encryption Options) to point to the key file, in preference to the KEYFILE statement in your USTCRYPT DD.
• Use the MASTERKEYID option in the UPSTREAM options table (MASTERKEYID=) to point to the suffix of a security system FACILITY class from which the master key can be obtained, in preference to the MASTERKEY operand on an ENCRYPT statement in your USTCRYPT DD.
• Let UPSTREAM automatically generate random encryption keys for you (UPSTREAM Encryption Key Management), in preference to supplying them manually on an ENCRYPT statement in your USTCRYPT DD.
• Use a master key on all encrypted copies of your backups, and be sure to keep the master key secure.
• BACKUP and REORG the key file on a regular basis with USTCRYFM (Creating the UPSTREAM Encryption Key File (USTCRYFM)).
• Secure the key file from unauthorized access using your security system (UPSTREAM Data Encryption).