The RSA and KEYPASSWORD keywords are used for key management by DFSMSdss. The choice of one over the other depends on your environment and needs.

KEYPASSWORD Keyword: Generally, if you are encrypting low volumes of data or if you do not have secure cryptographic hardware installed, you can specify the KEYPASSWORD keyword. NOTE: Passwords are case sensitive.

The iteration count (ICOUNT) in Password Based Encryption (PBE) is intended to strengthen weak passwords. If the password is robust (that is, 32 random characters), the default of 16 provides reasonable security and performance. Most PBE schemes assume that weak password are chosen; thus, iteration counts of 1000 or higher are often normal.

RSA Keyword: The RSA keyword makes use of public/private keys for encryption and the exchange of digital certificates. You specify the label of the public key that is stored in the ICSF PKDS on the RSA keyword when you dump and encrypt the data. The corresponding RSA private key must be present at the recovery site when you decipher the data. A recipient at another site can only decrypt the data through the private key that is specified on the RSA keyword during the RESTORE job. If the original RSA key and label exist in the system's ICSF PKDS, then the RSA keyword need not be specified. The original RSA label is stored on the dump data set for convenience.

If the same RSA label and key are used during multiple dumps, each dump has its data encrypted with a different symmetric key. Thus, if the symmetric key of one dump is discovered, the data in the other dumps is still secure.