Encryption methods
You can use InfoSphere® Guardium Data Encryption to create an encryption method to encrypt your data. Several options for encryption methods are available to meet the specific needs of your environment.
The encryption method that you create is linked with one of the different InfoSphere Guardium Data Encryption encryption methods that are provided with the product. The different InfoSphere Guardium Data Encryption encryption methods use Integrated Cryptographic Service Facility (ICSF), callable services, or z/Architecture Cipher instructions to encrypt the data. Data is encrypted by using a key that is managed by ICSF.
Cryptographic key encryption methods
Each InfoSphere Guardium Data Encryption encryption method uses ICSF callable services to support one or more of the following encryption methods for the cryptographic key label:
- CPACF protected key
- A high performance key encryption method type that is available on IBM® System z10® Enterprise Class GA3 and later mainframes. A CPACF protected key is not visible to applications or to the operating system during encryption.
- Clear key with CPACF protected key wrapping
- A high performance key encryption method type that is available on IBM System z10 Enterprise Class GA3 and later mainframes. A clear key with CPACF protected key wrapping uses an ICSF defined clear key, which is encrypted by using a CPACF instruction and an LPAR wrapping key. The resulting encrypted token is available in the user address space.
- Clear key
- A key type that is available on IBM zSeries z990, IBM zSeries z890, and later mainframes. A clear key is not encrypted under another key.
- Secure key
- A key that is encrypted under a master key. The secure key never exists unencrypted outside of the cryptographic coprocessor.
- Secure key with CPACF protected key wrapping
- A high performance key encryption method type that is available on IBM System z10 Enterprise Class GA3 and later mainframes. This option is made available through the application of the PTF for APAR OA50450 applied to FMID HCR77B1, HCR77B0, HCR77A1, and HCR77A0.
- A secure key with CPACF protected key wrapping uses an ICSF defined secure key, which is encrypted by using a CPACF instruction and an LPAR wrapping key. The resulting encrypted token is available in the user address space.
RACF enables you to restrict access to ICSF managed keys and authorize an ICSF-defined secure key to be used as an ICSF protected key. InfoSphere Guardium Data Encryption processing has no control over the security environment that is used when ICSF performs an authorization check. In some cases, the security environment that is used for the authorization check will be different from the security environment that is associated with the user who makes the request. For more information about how to use RACF to authorize users of specific key labels, see Using RACF to Protect Keys and Services on the IBM Knowledge Center: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/ctl.htm#ctl.
For more information about protected keys, see the z/OS Cryptographic Services ICSF Administrator’s Guide, Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/enuenc.htm.
For more information about creating keys by using KGUP, see the z/OS Cryptographic Services ICSF Administrator’s Guide, Using KGUP Panels: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.csfb300/csfb300_Using_KGUP_Pa
The following tables show the relationships between the InfoSphere Guardium Data Encryption encryption methods and the types of cryptographic key label encryption. Performance results might vary in your environment.
InfoSphere Guardium Data Encryption exit routine for DB2® | Key encryption | Sample member | Performance |
---|---|---|---|
DECENA00 | Clear key | DECDB2CK | Lowest overhead, best performance |
DECENAA0 | CPACF-wrapped secure or clear key | DECDB2XK | Lowest overhead, best performance |
DECENB00 | CPACF protected key | DECDB2CL | Low overhead, good performance |
DECENBI0 | CPACF protected key plus unique Initial Chaining Vector (ICV) generation | DECDB2CL | Low overhead, good performance |
DECENC00 | Secure key | DECDB2JB and DECDB2SK | Most overhead, most latency |
DECENCA0 | Secure key plus AES | DECDB2JB | Most overhead, most latency |
InfoSphere Guardium Data Encryption exit routine for DB2 | Key encryption | Sample member | Performance |
---|---|---|---|
DECENF00 | CPACF protected key | DECDBFCL | Low overhead, good performance |
InfoSphere Guardium Data Encryption exit routine for DB2 | Key encryption | Sample member | Performance |
---|---|---|---|
DECENU00 | CPACF protected key | DECDB2UD | Low overhead, good performance |
DECENUI0 | CPACF protected key | DECDB2UD and DECUXUDF (sample SQL statements) | Low overhead, good performance |
DECENUP0 | CPACF protected key | DECDB2UD | Low overhead, good performance |
DECENUBL | CPACF protected key | DECDB2UD | Low overhead, good performance |
InfoSphere Guardium Data Encryption exit routine for IMS™ | Key encryption | Sample member | Performance |
---|---|---|---|
DECENA01 | Clear key | DECIMSCK | Lowest overhead, best performance |
DECENAA1 | CPACF-wrapped secure key or clear key with CPACF protected key wrapping Batch ICSF CHECKAUTH recurring bypass |
DECIMSCB | Low overhead, good performance |
DECENB01 | CPACF protected key | DECIMSCB | Low overhead, good performance |
DECENBB1 | CPACF-wrapped secure key or CPACF protected key with batch ICSF CHECKAUTH recurring bypass | DECIMSCB | Low overhead, good performance |
DECENC01 | Secure key | DECIMSJB | Most overhead, most latency |
If you are operating on an earlier mainframe than the System z10 Enterprise Class GA3, the DECENB01 exit routine can be a clear key exit routine that supports the Advanced Encryption Standard (AES) up to 128-bit.
- If ICSF APAR OA50450 is installed:
- DECENAA0, DECENAA1, and DECENBB1 will work with all clear key labels
- DECENAA0 and DECENAA1 will only work with secure key labels that are defined with SYMCPACFWRAP(YES) and SYMCPACFRET(YES). DECENBB1 will work with secure key labels, but performance will be improved when using key labels that are defined with SYMCPACFWRAP(YES) and SYMCPACFRET(YES).
- If ICSF APAR OA50450 is not installed:
- DECENAA0, DECENAA1, and DECENBB1 will work with all clear key labels
- With secure key labels, DECENAA0 and DECENAA1 will not work, and DECENBB1 performance will be degraded
The InfoSphere Guardium Data Encryption encryption methods encrypt and decrypt data differently. Some of the encryption methods employ Integrated Cryptographic Service Facility (ICSF) callable services to perform the processing. Others use the zSeries Cipher Message with Chaining (KMC) or Cipher Message with Feedback (KMF) hardware instruction. When KMC or KMF are used, the encryption key data is obtained by using an ICSF callable service.
Encryption method creation
Each encryption method that you create is linked with one of the InfoSphere Guardium Data Encryption methods and the corresponding ICSF callable service.
The following figure illustrates the process of creating an encryption method.
As the previous figure illustrates, an encryption method is created with this process:
- An InfoSphere Guardium Data Encryption encryption method and the corresponding ICSF callable service are link-edited into the encryption method.
- The AMASPZAP program puts the cryptographic key label into your encryption method.
- Your encryption method is placed in the IMS or DB2 exit library.
Encryption standards
The following tables show the encryption standards that are supported by each of the InfoSphere Guardium Data Encryption encryption methods.
InfoSphere Guardium Data Encryption exit routine for DB2 | Encryption algorithm |
---|---|
DECENA00 | AES, Triple DES, or DES |
DECENAA0 | AES, Triple DES, or DES |
DECENB00 | AES |
DECENBI0 | AES |
DECENC00 | Triple DES, or DES |
DECENCA0 | AES |
InfoSphere Guardium Data Encryption exit routine for DB2 | Encryption algorithm |
---|---|
DECENF00 | AES |
InfoSphere Guardium Data Encryption exit routine for DB2 | Encryption algorithm |
---|---|
DECENU00 | AES |
DECENUBL | AES |
DECENUI0 | AES |
DECENUP0 | AES |
InfoSphere Guardium Data Encryption exit routine for IMS | Encryption algorithm |
---|---|
DECENA01 | Triple DES or DES |
DECENAA1 | AES, DES, and Triple DES |
DECENB01 | AES |
DECENBB1 | AES |
DECENC01 | Triple DES or DES |
Tip: To use a clear key, use either DECENA01 or DECENAA1. To use a CPACF-wrapped secure
key, use either DECENAA1 or DECENBB1.
Important: DECENAA1 and DECENBB1 require the Guardium Data Encryption subsystem to run. For more information, see Setting up the Guardium Data Encryption
subsystem.
Note:
|