DFSMSdss processing of dump encryption requests

You can use tape device encryption or host-based encryption to encrypt a tape volume, but not both methods. Because DFSMSdss avoids performing double encryption of tape data, you must determine which type of encryption, if any, is to be used for your tape volumes. In general, DFSMSdss prevents you from combining both types of encryption to perform double encryption of tape volumes.

Table 1 shows how DFSMSdss processes potential double encryption requests, specified through the DFSMSdss DUMP command.

Table 1. DFSMSdss processing of dump encryption requests
Dump encryption request	DFSMSdss action
Your DUMP command specifies host-based encryption (through the RSA or KEYPASSWORD keywords), and all of the available tape drives are encryption-capable tape drives. Your request might also specify host-based compression (through the HWCOMPRESS keyword).	DFSMSdss issues informational message ADR518I to indicate that tape device encryption was used instead of host-based encryption DFSMSdss ignores the compression request, if any.
Your DUMP command specifies host-based encryption and one or more of the available tape drives are not encryption enabled. Your request might also specify host-based compression.	DFSMSdss issues error message ADR519E to indicate that one or more of the available tape drives cannot perform encryption. To avoid performing double encryption of data, DFSMSdss uses only encryption-capable tape drives. DFSMSdss issues error message ADR324E to list the unused output devices. DFSMSdss ignores the compression request, if any. DFSMSdss continues processing the DUMP request as long as there are usable tape drives. On completion, DFSMSdss ends the task with return code 8.
Your DUMP command does not specify host-based encryption and all of the available tape drives are encryption-capable tape drives. Your request might also specify host-based compression.	Encryption-capable tape drives perform encryption DFSMSdss performs host-based compression, if requested.
Your DUMP command does not specify host-based encryption and one or more of the available tape drives are not encryption enabled. Your request might also specify host-based compression.	DUMP requests for encryption-capable tape drives are encrypted by the tape drives DUMP requests for non-encrypting tape drives are processed without encryption of any type DFSMSdss performs host-based compression, if requested.

For tapes that require host-based encryption, ensure that your dump-requesting jobs use only tape drives that are not encryption capable. To do so, check the data classes of the output ddnames to ensure that the jobs do not specify a data class that requests encryption from the encryption-capable tape drives.