Db2 for z/OS supports z/OS DFSMS data set encryption for the data sets associated with a
particular table.
About this task
Use this procedure to encrypt Db2-managed data sets for the data sets associated with a particular table. For user-managed data
sets, you need to use DFSMS interfaces.
Procedure
To encrypt table spaces with z/OS DFSMS data set encryption, use the following
steps:
- Obtain a key label from the RACF/ICSF administrator and ensure the key label is defined on all the backup sites used in disaster recovery and all the subsystems in a data sharing group.
-
Issue a CREATE or ALTER TABLE statement to define a key label to encrypt Db2-managed data sets.
Use this procedure to encrypt DB2-managed data sets for universal table spaces or partitioned
table spaces. For user-managed data sets, you need to use DFSMS interfaces. For table spaces that
can contain multiple tables, use the CREATE STOGROUP or ALTER STOGROUP statement with the KEY LABEL
clause.
-
Run the REORG TABLESPACE utility against the table spaces associated with the table.
The key label specified on the CREATE TABLE or ALTER TABLE statement is provided to DFSMS
when data sets for the table space, auxiliary (XML or LOB) table spaces, or indexes associated with
the table are allocated. If a key label is specified for the RACF data set profile, it overrides the
Db2-provided key label.
What to do next
You can run the REPORT utility with TABLESPACESET, SHOWDSNS, and SHOWKEYLABEL keyword to
display the current key label information for the table spaces.