Types of DB2 data sets that can be encrypted by using DFSMS data set encryption

Db2-managed table space and index space data sets

After you set up DFSMS encryption, you can run certain Db2 utilities to encrypt and decrypt Db2-managed table space and index space data sets.

The following utilities encrypt or decrypt the data sets for table spaces or index spaces based on the current key label that is defined in RACF data set profile or the current key label specified at the table level or storage group level or SMS data class:

• REORG TABLESPACE or REORG INDEX
• LOAD REPLACE
• RECOVER from sequential image copies– point in time or full recovery
• REBUILD INDEX

For REORG TABLESPACE, REORG INDEX or LOAD REPLACE with SHRLEVEL CHANGE or SHRLEVEL REFERENCE, the shadow data sets will be allocated as encrypted if a key label was provided throuh the RACF data set profile, CREATE TABLE, ALTER TABLE, CREATE STOGROUP, ALTER STOGROUP or SMS data class. If the shadow data sets are preallocated, the data sets can be allocated as encrypted by the user.

Partition and Piece Level Encryption or Decryption

The following utilities can be invoked with the PART or DSNUM option for partitioned table spaces or indexes to encrypt or decrypt at the partition level:

• REORG TABLESPACE or REORG INDEX
• LOAD REPLACE
• RECOVER from sequential image copies– point in time or full recovery
• REBUILD INDEX

When the PART option is specified for REORG TABLESPACE or LOAD REPLACE, any NPIs over the table space will keep its existing key label and encryption status.

Use REORG INDEX on NPIs to encrypt or decrypt the entire NPI using the current key label.

When the DSNUM n option is specified for RECOVER of a piece of a non partitioned table space or index space, the underlying VSAM data set for that piece will be reallocated with the current key label.

Data sets that are used by utilities

Among the data sets that are used by utilities are data files for loading or unloading, utility control statement files, temporary work files for index keys or rows, and image copy data sets.

To encrypt utility data sets, use the RACF data set profile, JCL, or the SMS data class.

For data sets allocated through TEMPLATEs, DFSMS uses its order of precedence to determine the key label.

If you still use hard coded DD statements instead of TEMPLATEs for the allocation of utility sequential output data sets and want to encrypt a data set, the DSKEYLBL option should be added to DD statements in the batch utility jobs.

z/OS DFSMS data set encryption does not support sequential data sets on tape, DUMMY data sets, or sort work data sets.

Encrypted input and output data sets for stand-alone utilities

The stand-alone utilities DSN1COPY, DSN1PRNT, DSN1COMP, DSNJU003, DSNJU004, DSNJCNVT, DSNJCNVB, and DSN1LOGP support encryption.

DSN1COPY, DSN1PRNT, and DSN1COMP will support encrypted VSAM or sequential data sets as input (SYSUT1 DD) and output (SYSUT2 DD) if the data sets are allocated with a key label. Since these stand-alone utilities do not allocate data sets, the data sets must be allocated with a key label before the job is executed. DSN1LOGP will support encrypted log data sets as input.

The job user ID must be permitted to access any underlying encrypted data sets used to run the utility.