Introduction to z/TPFDF encryption support

z/TPFDF encryption support provides the ability for the z/TPFDF product to manage the encryption and decryption of all user LRECs and an option to verify data integrity by using a message digest.

z/TPFDF encryption support and the z/TPF symmetric keystore

z/TPFDF encryption support uses the z/TPFDF control format-2 global record and the z/TPF symmetric keystore to manage symmetric key ciphers that are used to encrypt and decrypt z/TPFDF databases. A z/TPFDF OCO encryption library is provided to interface with the z/TPF symmetric keystore. You can use the ZKEYS command to manage the generation and activation of key names that are used to encrypt and decrypt z/TPFDF databases. z/TPFDF encryption support supports the following cipher algorithms:
  • AES-128-CBC (AES128CBC)
  • AES-256-CBC (AES256CBC)

Data integrity verification

z/TPFDF encryption support provides an option to verify data integrity by using a message digest. Data integrity is verified by the z/TPFDF OCO encryption library by using SHA-256 message digest functions. For each block, the message digest is created only for the user data. Data integrity is not verified for the z/TPFDF header and trailer.

Encrypted data

z/TPFDF data that is at rest in prime and overflow blocks is encrypted as follows:
  • The entire block is encrypted except for the z/TPFDF header and trailer. If the block header contains user data, the user data is encrypted.
  • Only the main large LREC (MLL) of a large logical record (LLR) is encrypted. Large logical index blocks (LLIBs) and large logical data blocks (LLDBs) are not encrypted.
  • Encrypted records exist in the following locations:
    • DASD
    • Virtual file access (VFA)
    • Logical record cache (LRC)
All z/TPFDF interfaces, which include the following interfaces, can automatically encrypt and decrypt z/TPFDF files.
  • z/TPFDF programming APIs
  • z/TPFDF utilities, which include the ZUDFM commands, CRUISE, and recoup
If z/TPF interfaces are used to access data, encrypted records are not decrypted. z/TPF interfaces that access data include, but are not limited to, the following interfaces:
  • Standard FIND or FILE APIs
  • z/TPF commands, such as the ZDFIL, ZAFIL, ZDREC, and ZAREC commands
  • z/TPF capture and restore utility

Start of changeIf a record is already encrypted by using traditional z/TPF database encryption, to avoid unnecessary overhead, do not encrypt it by using z/TPFDF encryption support.End of change

Decrypted data

For z/TPFDF databases that use z/TPFDF encryption support, encrypted data is decrypted when one or more of the following conditions occur:
  • When the data is accessed by using z/TPFDF interfaces, such as z/TPFDF APIs and commands
  • When the data is read by z/TPFDF APIs into private ECB memory, such as core blocks and ECB heap
  • When the LRECs are in multiple LREC buffers
  • When the data is in LLR index blocks (LLIBs) and LLR data blocks (LLDBs)
  • When the LRECs or physical records are written to the following locations by using the CRUISE utility, the ZUDFM commands, z/TPFDF APIs, or data events:
    • Tapes
    • The z/TPF file system
    • IBM® MQ queues
  • When the data is viewed by using the z/TPF debugger