The availability of encryption keys is critical to a Pervasive Encryption strategy. When data is encrypted, the ability to access that data relies on the availability of its encryption keys.
How would you recover from...
- An accidental deletion of a key?
- An accidentally overwritten key?
- Corruption of a key store?
- A refreshed copy of a key store with missing keys?
In all of these cases, a backup of your key store would ensure that you are able to recover your encryption environment.
When to backup your encryption keys...
- Along with your regular DASD volume backups. If the DASD volume is corrupted, the entire volume can be restored from backup.
- Before major key management operations. For example, backup your key stores before performing new or large key management operations such as generating 1000s of keys.
- After major key management operations. Backing up key stores after a master key rotation ensures that you can easily extract and recover a key from a backup that the matches the current master key. Backing up key store after generating 1000s of keys ensures that the keys you have generated are recoverable if the key store is corrupted prior to the next regular volume backup.
Tools for backup and recovery...
- z/OS DFSMSdss supports manual backups at any time
- z/OS DFSMShsm supports automated backups based on policy
- Enterprise Key Management Foundation (EKMF) backups keys in its own repository
Many thanks to Ernesto Figueroa and Cecilia Carranza-Lewis for knowledge sharing and JCL samples.