Contribute in GitHub:
Edit online
Use cases for Pervasive Encryption
Always exempt some data sets from encryption, even if they can be encrypted. For example, you MUST not encrypt the EKMF key database as you would not be able to do a recovery in case you loose your keys. Never unconditionally create definitions in RACF(SAF), DFSMS, or JCL that encrypt all data sets. Otherwise, if you encrypt it and the encryption key is lost, the key cannot be restored from the EKMF key repository.
Use case: Separation of duties
One of the main benefits of pervasive encryption is removal of storage administrators from the group of people that have access to data. Storage administrators need access to the encrypted data set. However, they don't need access to the encryption key that makes it possible to decrypt the enciphered data.
Consider this scenario:
-
You have an Application A, with RACF profile
PROD.APPLA.** -
The access list for the profile consists of the users who have access to Application A (group
GRPA) and the storage administrators (groupSTGADMIN) -
You name your encryption key,
PROD.PE.KEYA.01 -
The corresponding RACF profile has an access list,
PROD.PE.KEYA.**
In this scenario, the access list should contain only the group of users with access to the application (group GRPA). This approach ensures that only the application users can see the data in clear. All other users only see encrypted
data, regardless of the access that they have to the data set.
| Application | RACF profile for data sets | Access | Key label | RACF profile for keys | Access |
|---|---|---|---|---|---|
| Application A | PROD.APPLA.** | GRPA, STGADMIN | PROD.PE.KEYA.01 | PROD.PE.KEYA.** | GRPA |
Use case: Separation of application data
You can use pervasive encryption to separate application data, such that Application A cannot read data from Application B. In addition to controlling access to data sets with RACF, each application can have its own encryption key.
| Application | RACF profile for data sets | Access | Key label | RACF profile for keys | Access |
|---|---|---|---|---|---|
| Application A | PROD.APPLA.** | GRPA, STGADMIN | PROD.PE.KEY.A.01 | PROD.PE.KEY.A.** | GRPA |
| Application B | PROD.APPLB.** | GRPB, STGADMIN | PROD.PE.KEY.B.01 | PROD.PE.KEY.B.** | GRPB |
If two applications need to exchange data, yet another key can be created for this.
| Application | RACF profile for data sets | Access | Key label | RACF profile for keys | Access |
|---|---|---|---|---|---|
| Application A & B | PROD.XCHG.AB.* | GRPA, GRPB, STGADMIN | PROD.PE.KEYXCHG.AB.01 | PROD.PE.KEYXCHG.AB.** | GRPA, GRPB |