Db2 supports z/OS DFSMS data set encryption for all of the data sets in a storage
group using a key label for encryption and decryption.
About this task
Use this procedure to encrypt all the Db2-managed data sets for a storage group or to
encrypt simple or segmented table spaces. For user-managed data sets, you need to use DFSMS
interfaces.
Procedure
- Obtain a key label from the RACF/ICSF administrator and ensure the key label is defined on all the backup sites used in disaster recovery and all the subsystems in a data sharing group.
-
Issue a CREATE or ALTER STOGROUP statement to define a key label.
Db2 provides the specified key label
to DFSMS when allocating new data sets within the storage group. To override the Db2-provided key label at a table level, use the
CREATE TABLE or ALTER TABLE statement with the KEY LABEL clause. This table-level override is only
available for tables in universal or partitioned table spaces. The key label specified at the RACF
data set profile overrides any Db2 provided key label.
-
Issue the REORG TABLESPACE utility against each table space within the storage group.
The key label that is specified in the ALTER STOGROUP statement is provided to DFSMS when
allocating new data sets for the table spaces. The key label specified at the RACF data set profile
overrides the Db2 provided key label
What to do next
You can run the REPORT utility with the TABLESPACESET, SHOWDSNS, and SHOWKEYLABEL option to
display the current key label information for the table spaces.