DUMPCLASS(ENCRYPT): Specifying whether to encrypt the dump data with host based encryption

Explanation: ENCRYPT is an optional parameter that allows you to specify whether the data to be dumped will be encrypted with host based encryption. Indicate the method of host based encryption through the NONE, RSA, or KEYPASSWORD parameters. To have data encrypted, you must specify either RSA or PASSWORD (but not both) in the dump class. Do not use the ENCRYPT parameter to specify tape hardware encryption. You can use the SMS data class to specify tape hardware encryption.

The following are parameters of the ENCRYPT parameter:

NONE

specifies that data encryption is not performed for this dump class. This option overrides the encryption settings, if any, in the existing dump class.

RSA

specifies the RSA key label to be used when secure cryptographic hardware is used to encrypt the data to be dumped. keylabel identifies the key label that is to be used to encrypt the data. The key label is 1-64 characters long, and the first character must be an alphabetic or special character.

KEYPASSWORD

specifies that the data is to be encrypted without secure cryptographic hardware. The password, which is used to generate a key for the data encryption, is 8-32 characters long.

ICOUNT

specifies the number of hash iterations to be performed on the password when the PKCS #12 algorithm is used to generate the key. For the iteration count (count), specify an integer between 1 and 10000.

TYPE

specifies the type of encryption to be performed on the data.

CLRAES128: encrypts the dumped data with a clear 128-bit AES key.
CLRTDES: encrypts the dumped data with a clear, triple-length DES key
ENCTDES: encrypts the dumped data with a secure triple-length DES key.

Defaults

If you specify the KEYPASSWORD keyword without specifying ICOUNT (and ICOUNT was not previously set in the dump class definition), the default value for ICOUNT is 16.
If you do not specify the TYPE keyword (and TYPE was not previously set in the dump class definition), CLRAES128 encryption is used by default.

Note:

Before using the DUMPCLASS(ENCRYPT) parameter, review the topic about considerations for host-based encryption in z/OS DFSMSdss Storage Administration.
The ICSF address space must be started successfully, regardless of the processor you are running, to use the DUMPCLASS(ENCRYPT) parameter.
The set of dump classes that constitute a dump generation (that is, the set of dump classes specified on the BACKVOL command or in the storage group definition) must have the same encryption and HWCOMPRESS settings, or the dump operation will fail.
If you specify the KEYPASSWORD keyword, you cannot specify the ENCTDES parameter with the TYPE keyword.