DFSMS data set encryption enhancements for z/OS V2R3
z/OS® DFSMS introduces pervasive encryption of data at rest for extended format data sets accessed through access methods without requiring application changes. z/OS data set encryption through RACF® command and SMS policies can be used to identify the data sets or groups of data sets that require encryption.
You can protect viewing the data in the clear based on SAF access to the key label that is associated with the data set used by the access methods to encrypt and decrypt the data. The data set owner specifies an encryption key label, which refers to an AES 256-bit encryption key that exists in the ICSF key repository (CKDS).
- Sequential extended format data sets that are accessed through BSAM and QSAM.
- VSAM extended format data sets (KSDS, ESDS, RRDS, VRRDS, LDS) that are accessed through base VSAM and VSAM/RLS.
- RACF data set profile
- JCL, dynamic allocation, TSO ALLOCATE, IDCAMS DEFINE
- SMS data class
DFSMSdss and DFSMShsm support backup and migration of encrypted data sets while preserving the data in encrypted form. You can identify data sets that are encrypted through interfaces, such as LISTCAT, IEHLIST LISTVTOC, ISMF, SMF, and DCOLLECT.
Using the z/OS data set encryption enhancementsFor an overview of restrictions, dependencies, and steps on using the new function, see the following publications: