Using DFSMSdss Encryption

You can use DFSMSdss Encryption to encrypt and decrypt data through DFSMSdss and DFSMShsm commands. For complete information, see z/OS DFSMSdfp Storage Administration.

DFSMShsm documentation

For complete information about using DFSMShsm commands to encrypt and decrypt data, see the following DFSMShsm publications:

For DFSMSdss you can use the DUMP command to encrypt an output data set and specify that the encrypted data is to reside on tape or DASD. You can specify the following options on the DUMP command:

Table 1. DUMP command options
Description	DUMP option
Encryption type	ENCRYPT Specifies information about which encryption key you want to generate. You can specify one of the following types. CLRTDES Specifies that the input file is to be encrypted with a clear TDES triple-length key in the DFSMSdss address space CLRAES128 Specifies that the input file is to be encrypted with a clear 128-bit AES key ENCTDES in the DFSMSdss address space ENCTDES Specifies that the input file is to be encrypted with a secure TDES triple-length key in the DFSMSdss address space
Method to generate and protect the data encrypting key	Specifies the method to be used to generate and protect the data encrypting key. RSA and PASSWORD are mutually exclusive. One of the following keywords is required: RSA(label) Specifies the 64-byte label of an existing RSA public key that is present in the ICSF cryptographic key data set (PKDS). KEYPASSWORD(password) Specifies a password between 8 and 32 characters that is used to generate a data key to encrypt the user data. If you specify KEYPASSWORD on the DUMP command, you must also specify the same KEYPASSWORD on the RESTORE command. IBM® suggests that you use only the upper and lower-case letters A through Z, numerals 0 – 9 and the underscore character (_) .
Compression option	HWCOMPRESS Specifies whether you want compression of the clear input before encryption of the data occurs. If you want compression, specify the keyword HWCOMPRESS. Omit the keyword if you do not want compression.

To decrypt the data from the DUMP command, you can use the RESTORE command with the following options:

Table 2. Keywords for DFSMSdss Encryption
Description	RESTORE option
Method used to generate and protect the data encrypting key	Specifies the method to be used to generate and protect the data encrypting key. RSA and PASSWORD are mutually exclusive: RSA(label) Specifies the 64-byte label of an existing RSA private key that is present in the ICSF PKDS. The RSA option on the RESTORE command is optional. Use RSA if you want to specify a different label for an RSA key. If you do not specify the RSA keyword on the RESTORE command, DFSMSdss uses the original label specified on the DUMP command. KEYPASSWORD(password) Specifies a password between 8 and 32 characters that is used to generate a data key to encrypt the user data. If KEYPASSWORD has been specified on the DUMP command, you must also specify the same KEYPASSWORD on the RESTORE command. IBM suggests that you use only the upper and lower-case letters A through Z, numerals 0 – 9 and the underscore character (_) .