You can use the REKEY function with the IEHINITT utility to replace the key encrypting key structure stored on a tape cartridge. This allows you to export a tape cartridge to your business partner without being required to share the private key and to rewrite the full tape. Instead, you can send the corresponding public key that allows your business partner to decrypt the tape on a different tape drive. You can also use the REKEY function to manage the security policy where the key encryption key periodically expires.

When you encrypt a tape cartridge, you also encrypt the data key, used to encrypt and decrypt the data on the tape. You can specify up to two key labels and then encrypt the data key with up to two different public keys. This generates an externally encrypted data key for each key label. The externally encrypted data key is stored in the memory of the tape cartridge in non-user data area. You can re-encrypt the data key using the new key labels, and then use one of them locally, and the other one offsite.

IEHINITT uses SAF/RACF for security checking in a library and non-library environment, at the volume level but not at the data set level. You must have UPDATE level of authority to use the REKEY function for CLAS=TAPEVOL.

Attention: Implement security protection to prevent unauthorized users from accessing or destroying data. The REKEY function might overwrite the existing key labels stored on tapes regardless of the expiration dates of the data set. The installation exits are notified about the changes to the key labels through the dynamic exits routines that do not provide security protection.