The decision to use CLRTDES or ENCTDES key values depends on the kind of cryptographic hardware you have, the level of security you want, and the level of performance you require.

For DFSMSdss, a CLRTDES key is a triple-length TDES key that is generated dynamically. Unlike the ENCTDES key value the CLRTDES key value can appear in application storage. If DFSMSdss is running on a z890, z990, or System z9® 109, the data is encrypted using the clear TDES key on the CPACF, and this usually results in better performance than if you are using the ENCTDES key value.

The ENCTDES key is a triple-length TDES key that is generated within the secure boundary of the cryptographic hardware (CCF, PCICC, PCIXCC, or CEX2C), and it uses the ICSF symmetric master key to encrypt the data. The clear value of an ENCTDES key never leaves the boundary of the secure cryptographic hardware. Encryption and decryption of data using an ENCTDES key requires secure cryptographic hardware to be available.

Each type of key is equally secure in regards to the data that appears in the output data set.

The CLRAES128 option generates a 128-bit AES key. The key value can appear in application storage. If DFSMSdss is running on a z9 or z10 processor, the data is encrypted using CPACF. If DFSMSdss is running on any other type of processor, the data is encrypted by ICSF.

During DUMP processing, only user data may be encrypted. This means that VTOC and VVDS tracks that are processed are not encrypted. The data set names and other content from the VTOC will appear unencrypted in the output dump data set.