Data set encryption
Introduction
With z/OS data set encryption, you can encrypt data without requiring application changes. z/OS data set encryption, through SAF controls and RACF® or equivalent function along with SMS policies, allows you to identify new data sets or groups of data sets to be encrypted. You can specify encryption key labels to identify encryption keys to be used to encrypt selected data sets. The specified key label and encryption key must exist in the ICSF key repository (CKDS). With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear. Authorization is based on access to the key label that is associated with the data set and used by the access methods to encrypt and decrypt the data.
- Sequential extended format data sets, which are accessed through BSAM and QSAM
- VSAM extended format data sets (KSDS, ESDS, RRDS, VRRDS, LDS), accessed through base VSAM and VSAM RLS
Sequential basic format data sets, accessed through BSAM, QSAM and EXCP. (Note:
EXCP access does require application
changes.)
- Sequential large format data sets, accessed through BSAM, QSAM and EXCP. (Note:
EXCP access does require application
changes.)
Encrypted data sets must be SMS-managed. Encrypted extended format data sets can also be compressed
format.
| Importance of host-based compression |
|---|
| It is recommended that clients using host-based encryption also exploit
host-based compression prior to the encryption of the data. If the data is not compressed prior to
the encryption there can be consequences to other parts of the client infrastructure. For example,
replicated data that is being compressed in the SAN infrastructure by DWDM technology will no longer
be effective trying to compress encrypted data. Without compressing prior to the encryption of the
data, additional bandwidth might be required. Another example might be that tape systems can require additional capacity in terms of disk space, in the case of virtual tape, or tape cartridges. If deduplication of data is supported, host encryption can prevent deduplication from working. Therefore, where possible, use compressed format data sets. With encrypted compressed format data sets, the access methods perform compression before encryption. See Considerations when planning for data set encryption for more information. |
To create an encrypted data set, a key label must be supplied on new data set allocation. The key label must point to an AES-256 bit encryption DATA key within the ICSF key repository (CKDS) to be used to encrypt or decrypt the data. For each encrypted data set, its key label is stored in the catalog. The key label is not sensitive information; it identifies the encryption key, which is sensitive; therefore, IBM recommends only using secure keys. For more information, see z/OS Cryptographic Services ICSF System Programmer's Guide.
Hardware requirements
Exploitation of this function requires IBM® Enterprise z196 or later. It also requires the following cryptographic hardware features:
- Crypto Express3 Coprocessor or later
- Feature 3863, CP Assist for Cryptographic Functions (CPACF)
Operating System requirements
- ICSF is installed and configured with a CKDS and AES master key loaded. See Considerations regarding ICSF startup and shutdown for more information.
Coexistence requirements
- On a z/OS V2R3 or z/OS V2R4 system with OA56622, or on a later system, you can
create and access encrypted basic and large format data
sets.
- On a z/OS V2R2 system with OA50569, you can create encrypted extended
format data sets as well as access encrypted extended format data sets
created on a z/OS V2R2 (with OA50569) or later system.
- On a z/OS V2R1 system with OA50569, you cannot create encrypted extended
format data sets. However, you can access encrypted extended format data
sets created on a z/OS V2R2 (with OA50569) or later system.
extended format
data sets is z/OS V2R1 with OA50569. An attempt to access an encrypted extended
format data set on a lower release will result in loss of access to the data. Ensure that all
systems are at the minimum hardware and software levels before encrypting any data sets.Before enabling this function
Because data set encryption has both hardware and software requirements, you must consider all systems that share data with a system on which you plan to enable data set encryption before creating an encrypted data set. This includes backout software levels, backup systems, read-only systems, replication target systems and disaster recovery systems. Before encrypting data sets other than those used for testing, be sure that all the systems that must access encrypted data sets are capable of doing so by meeting the required hardware and software requirements. In addition to the hardware and software requirements that must be available on every system that will access the encrypted data sets, all key labels and encryption keys that are associated with the encrypted data sets must also be available.
- Define the STGADMIN.SMS.ALLOW.DATASET.ENCRYPT profile in the FACILITY class, and set the
universal access to
NONE:
RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE) - If the FIELD class is active, check for any profile that would allow any user without SPECIAL
attribute access to the DATASET.DFP.DATAKEY. If there are none, no additional action is needed. If
there is any profile that would allow access to DATASET.DFP.DATAKEY, create a DATASET.DFP.DATAKEY
profile in the FIELD class with a UACC of
NONE:
RDEFINE FIELD DATASET.DFP.DATAKEY UACC(NONE)
Tasks for setting up data set encryption
Performing the following tasks is necessary to begin using data set encryption.
Create key labels and encryption keys
To create an encrypted data set, a key label must be assigned to the data set. The key label and its associated AES-256 bit encryption key must exist in the CKDS by the time the data set is opened. To create keys in the CKDS, refer to z/OS Cryptographic Services ICSF System Programmer's Guide. IBM recommends the use of secure keys.
Set up CSFKEYS
To control which users can use which keys, protect resources CSFKEYS class. The CSFKEYS class controls access to cryptographic keys identified by the key label.
- Grant the user READ authority to the resource key-label in the CSFKEYS class. This authority can
be granted for all uses of the key-label or only when the use of the key-label is permitted when
using a CRITERIA value of DSENCRYPTION for SMS. - if the class has not already been enabled for generics
SETROPTS GENERIC(CSFKEYS)- Define profiles in the CSFKEYS class to protect key labelsRDEFINE CSFKEYS profile-name UACC(NONE) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))- Give the users (preferably groups) access to the profiles
orPERMIT profile-name CLASS(CSFKEYS) ID(name) ACCESS(READ)PERMIT profile-name CLASS(CSFKEYS) ID(name) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION))) - Define the ICSF information for the key with SYMCPACFWRAP(YES) and SYMCPACFRET(YES), if it was
not specified on the DEFINE
RALTER CSFKEYS profile-name ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES)) - Set RACF options- if the CSFKEYS class is not already active
SETROPTS CLASSACT(CSFKEYS)- if the CSFKEYS class has not already been RACLISTedSETROPTS RACLIST(CSFKEYS)- or if the CSFKEYS class has already been RACLISTedSETROPTS RACLIST(CSFKEYS) REFRESH
Set up CSFSERV
Protect the resources CSFSERV class. ICSF controls access to cryptographic services through the CSFSERV resource class. For more information, see z/OS Cryptographic Services ICSF Administrator's Guide.
| Function | ICSF callable service | Resource |
|---|---|---|
| CKDS Key Record Read2 | CSNBKRR2 | CSFKRR2 |
- Grant the user READ authority to the resource CSFSERV class:- if the class has not already been enabled for generics
SETROPTS GENERIC(CSFSERV)- Define profiles in the CSFSERV class to protect key labelsRDEFINE CSFSERV * UACC(NONE)- Define profile CSFKRR2 if it does not existRDEFINE CSFSERV CSFKRR2 UACC(NONE)- Give the users (preferably groups) accessPERMIT CSFKRR2 CLASS(CSFSERV) ID(groupid) ACCESS(READ) - Set RACF options:- if the CSFSERV class is not already active
SETROPTS CLASSACT(CSFSERV)- if the CSFSERV class has not already been RACLISTedSETROPTS RACLIST(CSFSERV)- or if the CSFSERV class has already been RACLISTedSETROPTS RACLIST(CSFSERV) REFRESH
Create an encrypted data set
- RACF® data set profile
- JCL, dynamic allocation, TSO ALLOCATE, IDCAMS DEFINE
- SMS data class
To specify a key label using the DFP segment in the RACF data set profile, use keyword
DATAKEY(Key-Label). The system will use this key label for data sets that are
created after DATAKEY is added to the data set profile. Use keyword NODATAKEY to remove a key label,
if defined, from the RACF DFP segment. The key label is
ignored for a data set that is not a DASD data set.
To specify a key label using JCL, dynamic allocation, or TSO allocate, use JCL keyword DSKEYLBL='key-label', dynamic allocation text unit DALDKYL, or TSO allocate DSKEYLBL(key-label). DSKEYLBL parameter is effective only if the new data set is on DASD. The key label is ignored for a data set that is not a DASD data set.
See details about the DSKEYLBL parameter(key-label) keyword on the JCL DD statement in z/OS MVS JCL Reference.
To specify a key label using SMS data class, use the Data Set Key
Label field on the ISMF DEFINE/ALTER panel. The system will use this key label for
data sets that are created after the data set key label is added to the data
class. The key label is ignored for a data set that is not a DASD data set.
See details on using the new Data Set Key Label field in the ISMF panels in z/OS DFSMS Using the Interactive Storage Management Facility.
To specify a key label using the DEFINE CLUSTER command for a VSAM CLUSTER, use the KEYLABEL parameter; for example, KEYLABEL(MYLABEL). Any alternate index associated with the CLUSTER will also be encrypted and use the same key label as specified for the CLUSTER. The key label is ignored for a data set that is not a DASD data set.
For more information on using the DEFINE CLUSTER command for a VSAM CLUSTER, see z/OS DFSMS Access Method Services Commands.
- From the DFP segment in the RACF data set profile.
- Explicitly specified on the DD statement, dynamic allocation text unit, TSO ALLOCATE command, or DEFINE CLUSTER control statement.
- From the data class that applies to the current DD statement.Note: The REFDD and LIKE JCL DD statement keywords do not cause a key label from the data set referred to be used when allocating a new data set.
IGD17150I DATA SET dsname IS ELIGIBLE FOR ACCESS METHOD ENCRYPTION
KEY LABEL IS (key_label)Specifying a key label for a non-extended format data set
If an encryption key label is specified for a DASD data set that is not extended format and the FACILITY class resource STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT is not
defined, the key label is ignored and the data set is successfully created as non-encrypted
non-extended format data set. In addition, SMS message IGD17156I is issued (or if using IDCAMS
DEFINE and data set is non-SMS managed, message IDC3040I is issued) indicating that the key label is
ignored. Instead to have the system fail the allocation, the user must have at least READ authority
to the resource in the FACILITY class: STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC
If this facility class resource exists and the user has at least read authority, SMS will fail the allocation and issue message IGD17151I (or if using IDCAMS DEFINE and non-SMS managed data set request, message IDC3039I is issued).
Encrypted data sets must be SMS-managed. Encrypted extended format data sets can
also be compressed
format.
Specifying a key label for a basic or large format data set
With z/OS V2R3 and z/OS V2R4 systems (with OA56622) or higher levels, data set encryption supports basic and large format data sets. To indicate that the specification of a key label should result in the creation of an encrypted basic or large format data set (that is, indicate if the basic and large format data sets type should be regarded as a supported data set type for data set encryption), the data set must be SMS-managed and the following resource in the RACF FACILITY class must be defined: STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT.
The system checks whether this resource is fully defined when the data set is first allocated (created). The system does not require any authorization to be specified for this resource in order for it to take affect. Therefore, the resource must not be defined until basic and large format data sets are to be created as encrypted.
- The prefix will not be allowed on WRITE or PUT requests, nor returned on READ and GET requests.
- The system-determined block size algorithm will take the block prefix length into consideration.
Applications using standard BSAM and QSAM APIs require no, or minimal changes, to access encrypted basic and large format data sets. Minimal change may be required if the application performs DASD space calculations that must take into account the block prefix. Applications using EXCP require changes to access encrypted basic and large format data sets by performing encryption and decryption of data. The IGGENC macro can be used to simplify encryption and decryption of data while ensuring compatibility with the access methods. (Note: All references to EXCP apply equally to the EXCPVR and XDAP macros, unless otherwise stated.)
The restrictions identified under Restrictions for encrypted data sets also apply to encrypted basic and large format data sets. Additional restrictions associated with encrypted basic and large format data sets are identified in Additional restrictions for basic and large format encrypted data sets.
Candidates for encrypted basic and large format data sets
- SMF Type 14 and SMF Type 15 records are mapped by macro IFGSMF14.
- SMF Type 42-6 records are mapped by macro IGWSMF.
You must determine that the data set is a basic or large format data set. You can do this by testing a field in the JFCB which is found in SMFJFCB1. Test JFCDSORG for bit JFCORGPS being on and test for bit SMF14STR being off. This combination indicates the data set is a sequential data set but not extended format.
- SMF14JBN for the jobname
- SMFJOBID for the job identifier
- SMF14SPN for the step name
- SMF14PGN for the program name
- S42JDJNM for the jobname
- Scan your programs for use of EXCP, EXCPVR or XDAP macros
- Review SMF Type 14 and SMF Type 15 records:
- You can use SMFDCBMF to identify data sets opened with EXCP. This is a 2 byte field which is a copy of DCBMACRF, where the high order bit indicates MACRF=E. You can find DCBMACRF in the DCBD mapping macro.
- You can then also use SMF14EXCPBAM bit to identify data sets opened with BSAM or QSAM, but then accessed via EXCP.
- Review SMF 42-6 records:
- You can use S42DSEXC to identify data sets opened with EXCP.
Note: Use the z Batch Network Analyzer tool to identify data sets accessed by EXCP, as it uses the SMF records to make this determination. - To determine if your data set is accessed by an EXCP application that can support encrypted data sets:
- You can use flag SMF14DSENCRYPTOK to identify whether the application program used
EXCP and the program is enabled to handle data set encryption for basic and large format data sets.
This does not imply that the data set is DASD.Note: The system detects this condition by testing DCBE DSENCRYPT=OK is specified regardless of the data set type.
- You can use flag SMF14DSENCRYPTOK to identify whether the application program used
EXCP and the program is enabled to handle data set encryption for basic and large format data sets.
This does not imply that the data set is DASD.
Determine if your data sets meet the restrictions for encrypted basic/large format data sets
- You can use the SMFJFCB1 field to find the block size of the data set. Using the JFCB mapping macro, IEFJFCBN, test field JFCBLKSI to determine if the block size is at least the minimum required for encryption, which is 16 bytes.
- You can use S42DSBSZ in SMF 42-6 for block size.
- You can use the SMFJFCB1 field to find the record length of the data set. Using the JFCB mapping macro, IEFJFCBN, test field JFCLRECL to determine if the record length is at least the minimum required for encryption, which is 16 bytes for record format F(B(S)) and 12 bytes for record format V(B(S)). Use SMFDCBRF to determine the record format, which is mapped the same as DCBRECFM.
- You can also use the following to view the record format, block size and record length:
- TSO LISTDSI command for REXX
- IEHLIST LISTVTOC
- ISPF option 3.2
- You can use the SMFJFCB1 field to determine if hardware keys are used with the data set. Using the JFCB mapping macro, IEFJFCBN, test field JFCKEYLE for zeros to ensure no hardware keys are in use.
- You can use the SMF14DDA bit to determine if BDAM has been used to access the data set. If the flag is on, this data set is not a candidate for encryption.
- To determine the block size, you can use DCDBKLNG.
- To determine the record length, you can use DCDLRECL.
- To determine the record format, you can use DCDRECRD. This is a copy of DCBRECFM.
- To determine the data set organization, you can use DCDDSORG.
Enable data set encryption
An enablement action is required to allow the creation of encrypted data sets when the key label is specified through a method outside of the DFP segment in the RACF data set profile.
To allow the system to create encrypted data sets using a key label specified through a method other than through the DFP segment in the RACF data set profile, the user must have at least READ authority to the following resource in the FACILITY class:
STGADMIN.SMS.ALLOW.DATASET.ENCRYPTThe system checks the user's authority to access this resource when a data set to be encrypted is first allocated (that is, created). It is not checked again before encrypting a data set.
Allocation processing
SMS allocation processing determines if a data set can be allocated as an encrypted data set. Under certain conditions, you can specify how the allocation should proceed. The following tables summarize the system behavior during SMS allocation processing for a new data set based on specific FACILITY class resources and the user's authorization to the resource.
On a z/OS V2R2 system (with OA50569) and later, the following table describes the result of an allocation request for an extended format data set when a key label has been specified. On a successful allocation, the resulting data set will be an encrypted extended format data set. Other factors not described in this table (such as lack of space) might cause the allocation to fail.
Encrypted data sets must be SMS-managed. Encrypted extended format data sets can
also be compressed
format.
| FACILITY class resource | STGADMIN.SMS.ALLOW.DATASET.ENCRYPT | |||
|---|---|---|---|---|
| Access | Not defined OR not authorized | At least authorized for READ | ||
| Allocation type | JCL | IDCAMS DEFINE | JCL | IDCAMS DEFINE |
| Key label from DFP segment of RACF DS profile | Allocation continues with IGD17150I | Allocation continues with IGD17150I | Allocation continues with IGD17150I | Allocation continues with IGD17150I |
| Key label from a source other than DFP segment of RACF DS profile | Allocation fails with IGD17155I | Allocation fails with IDC3038I | Allocation continues with IGD17150I | Allocation continues with IGD17150I |
On a z/OS V2R2 system (with OA50569) and above, the following table describes the result of an allocation request for a DASD non-extended format data set when a key label has been specified from any source. On a successful allocation, the resulting data set will be a non-encrypted non-extended format data set. Other factors not described in this table (such as lack of space) might cause the allocation to fail.
| FACILITY class resource | STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC | |||
|---|---|---|---|---|
| Access | Not defined OR not authorized | At least authorized for READ | ||
| Allocation type | JCL | IDCAMS DEFINE | JCL | IDCAMS DEFINE |
| SMS mgd | Allocation continues with IGD17156I | Allocation continues with IGD17156I | Allocation fails with IGD17151I | Allocation fails with IGD17151I |
| non-SMS mgd | Allocation fails with IGD17156I | Allocation fails with IDC3040I | Allocation fails with IGD17151I | Allocation fails with IDC3039I |
On a z/OS V2R1 system (with OA50569), the following table describes the result of an allocation request for a DASD data set (extended format and non-extended format) when a key label has been specified from any source. On a successful allocation, the resulting data set will be a non-encrypted data set since you cannot create new encrypted data sets on a z/OS V2R1 system. Other factors not described in this table (such as lack of space) might cause the allocation to fail.
| FACILITY class resource | STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC | |||
|---|---|---|---|---|
| Access | Not defined OR not authorized | At least authorized for READ | ||
| Allocation type | JCL | IDCAMS DEFINE | JCL | IDCAMS DEFINE |
| Key label specified on JCL (DSKEYLBL) | Job fails with IEFC630I | N/A | Job fails with IEFC630I | N/A |
| Key label specified on IDCAMS DEFINE (KEYLABEL) | N/A | Allocation fails with IDC3211I | N/A | Allocation fails with IDC3211I |
| Key label from DFP segment of RACF DS profile or from data class) | Refer to the following two rows | |||
| SMS mgd | Allocation continues with IGD17156I | Allocation continues with IDC3040I | Allocation fails with IGD17154I | Allocation fails with IDC0017I |
| non-SMS mgd | Allocation continues with IGD17156I | Allocation continues with IDC3040I | Allocation fails with IGD17154I | Allocation fails with IDC0017I |
Accessing encrypted data sets
Applications that use standard BSAM, QSAM, and VSAM APIs do not require changes to access encrypted data sets. The user data transferred between the application and the access methods is in the unencrypted form. The access method encrypts the data when writing to DASD and decrypts the data when reading from DASD. For encrypted compressed format data sets, the access method compresses the data before encrypting it on output. On input, the access method decrypts the data before decompressing it.
Considerations regarding ICSF startup and shutdown
If you plan to encrypt SMF data sets or other data sets used during z/OS initialization, you must ensure that ICSF is started early in the IPL process to avoid delays in z/OS initialization and termination. As such, it is highly recommended the command S CSF,SUB=MSTR is placed early in the COMMNDxx member to ensure that there is minimum delay in z/OS initialization. Specifying SUB=MSTR is necessary to allow ICSF to start before JES.
Furthermore, during z/OS system shutdown, ICSF must be one of the last features to stop so that dependent functions are not impacted. It is highly recommended that you shut down ICSF after terminating the JES address space and after initiating SMF halt processing. Note when ICSF is stopped after SMF is halted, that there might not be an SMF record cut for the termination of ICSF. (The ability to start ICSF with SUB=MSTR is available on all supported releases of ICSF.)
Considerations regarding backup/migration/replication functions
Key label authorization
- DFSMSdss functions: COPY, DUMP, and RESTORE
- DFSMShsm functions: migrate/recall, backup/recover, abackup/arecover, dump/data set restore, FRBACKUP/FRRECOV DSNAME
- Track based copy (PPRC, XRC, FlashCopy®, concurrent copy) operations
- DFSMSdss REBLOCK keyword is ignored on COPY and RESTORE functions for encrypted data sets.
- DFSMSdss ADRREBLK installation exit will not be called for encrypted data sets.
- DFSMSdss does not support VALIDATE processing when backing up encrypted indexed VSAM data sets. VALIDATE will be ignored.
- Backup and migration of encrypted data sets may impact expected savings with disk or tape device compression. Where possible, convert to compressed format data sets. When data set level compression requested, access methods handle compression before encryption for compressed format encrypted data sets.
Considerations when planning for data set encryption
- Encrypted data sets can be extended format. Refer to Extended-Format VSAM Data Sets and Processing Extended-Format Sequential Data Sets for information on allocating extended format data
sets, including guidelines and restrictions.
- Sequential extended format data sets can be version 1 or 2. When allocating an encrypted sequential extended format data set, the system creates the data set as an extended format version 2 data set, regardless of the user's specification for version number on DSNTYPE or the PS_EXT_VERSION keyword in the IGDSMSxx member in PARMLIB.
- Encrypted data do not compress. Therefore, encrypted data
sets might not benefit from storage savings when relying on disk and tape device compression, as
well as other areas in the infrastructure that attempt to compress data. Where possible, consider
using compressed format data sets. (Note that only sequential extended format data sets and VSAM
extended format KSDS data sets can be compressed format.) When data set level compression is
requested along with encryption, access methods handle compression before encryption for encrypted
compressed format data sets. Refer to Compressed Data and Allocating Compressed-Format Data Sets for
information on allocating compressed format data sets, including guidelines and restrictions. Only
sequential extended format data sets and VSAM extended format KSDS data sets can be compressed
format.
- When processing encrypted data sets, the access methods may
use additional internal system buffers during read and write processing. For optimal performance,
consider increasing memory to your user address space as your use of encrypted data sets
increases.
Restrictions for encrypted data sets
- System data sets (such as Catalogs, SMS control data sets, SHCDS, HSM data sets) must not be encrypted, unless otherwise specified in product documentation.
- Data sets used during IPL must not be encrypted.
- Encrypted data sets only supported on 3390 device types.
- Sequential (non-compressed) data sets with a BLKSIZE of less than 16 bytes cannot be encrypted.
Additional restrictions for basic and large format encrypted data sets
- The minimum size of any user block written to an encrypted data set is 16 bytes.
Using BSAM or QSAM, an attempt to write a block less than 16 bytes will fail with ABEND
002-F2.
- The minimum DCB LRECL is 16 bytes for RECFM (F(B(S)) and 12 bytes for RECFM
V(B(S)). An attempt to open a data set with LRECL less than the minimum supported will fail with
ABEND
213-89.
- Encrypted basic and large format data sets do not support hardware keys (DCBKEYLE).
An attempt to open a data set with a non-zero key length will fail with 213-99. Diagnostic
information in the message will clearly identify the reason for this
failure.
- BDAM does not support processing encrypted basic and large format data sets. An
attempt to open an encrypted basic or large format data set with BDAM will fail with 213-99.
Diagnostic information in the message will clearly identify the reason for this
failure.
- Checkpoint/Restart does not support open encrypted basic or large format data sets.
Also, checkpoint data sets cannot be encrypted. An attempt to take a checkpoint when an encrypted
basic or large format data set is open or when the checkpoint data set is encrypted, will fail with
return code 08 and reason code
568.
For potential restrictions associated with other products, consult the corresponding product documentation.
See the following publications for more details on data set encryption support: