Explanation: ENCRYPT is an optional parameter
that allows you to specify whether the data to be dumped will be encrypted
with host based encryption. Indicate the method of host based encryption
through the NONE, RSA, or KEYPASSWORD parameters. To have data encrypted,
you must specify either RSA or PASSWORD (but not both) in the dump
class. Do not use the ENCRYPT parameter to specify tape hardware encryption.
You can use the SMS data class to specify tape hardware encryption.
The following are parameters of the ENCRYPT parameter:
- NONE
- specifies that data encryption is not performed for this dump
class. This option overrides the encryption settings, if any, in the
existing dump class.
- RSA
- specifies the RSA key label to be used when secure cryptographic
hardware is used to encrypt the data to be dumped. keylabel identifies
the key label that is to be used to encrypt the data. The key label
is 1-64 characters long, and the first character must be an alphabetic
or special character.
- KEYPASSWORD
- specifies that the data is to be encrypted without secure cryptographic
hardware. The password, which is used to generate a key for the data
encryption, is 8-32 characters long.
- ICOUNT
- specifies the number of hash iterations to be performed on the
password when the PKCS #12 algorithm is used to generate the key.
For the iteration count (count), specify an integer between
1 and 10000.
- TYPE
- specifies the type of encryption to be performed on the data.
- CLRAES128
- encrypts the dumped data with a clear 128-bit AES key.
- CLRTDES
- encrypts the dumped data with a clear, triple-length DES key
- ENCTDES
- encrypts the dumped data with a secure triple-length DES key.
Defaults
- If you specify the KEYPASSWORD keyword without specifying ICOUNT
(and ICOUNT was not previously set in the dump class definition),
the default value for ICOUNT is 16.
- If you do not specify the TYPE keyword (and TYPE was not previously
set in the dump class definition), CLRAES128 encryption is used by
default.
Note: - Before using the DUMPCLASS(ENCRYPT) parameter, review the topic
about considerations for host-based encryption in z/OS DFSMSdss Storage Administration.
- The ICSF address space must be started successfully, regardless
of the processor you are running, to use the DUMPCLASS(ENCRYPT) parameter.
- The set of dump classes that constitute a dump generation (that
is, the set of dump classes specified on the BACKVOL command or in
the storage group definition) must have the same encryption and HWCOMPRESS
settings, or the dump operation will fail.
- If you specify the KEYPASSWORD keyword, you cannot specify the
ENCTDES parameter with the TYPE keyword.