Encryption and key labels

During the OPEN processing, when a data set is opened for OUTPUT, file sequence 1, DISP=NEW, if an encryption enabled 3592 Model E05 is allocated and the assigned data class indicates EEFMT2, the OPEN processing obtains the key encrypting key (KEK) labels and the key encoding mechanism (label or hash) by using SMS services. OPEN passes the KEK labels and key encoding type to the drive. If this key label-related information is not specified, OPEN does not pass any key label-related information. This operation results in using the defined Encryption Key Manager (EKM) established defaults. For the encrypted cartridges, DISP=OLD (and also DISP=SHR) and file sequence 1 (reuse from loadpoint), the OPEN processing directs the drive to
  • reuse the existing KEK labels and to use the encryption recording format (EEFMT2).

Encryption is supported for SL (IBM standard), AL (ANSI standard), NL (no labels) and NSL (non standard). For labeled tapes (SL- IBM standard or AL - ANSI standard), OPEN indicates to the drive that a key known to all encryption capable 3592 drives is to be used for the load point volume label.

It is during OPEN processing (file sequence 1, open for OUTPUT) where the key exchange between the drive and the encryption key manager (EKM) takes place, and it is also the point in time in which the drive writes the EEDK structures on the tape. As a result of these encryption-related activities, expect more time to be spent in OPEN processing with more time appearing between the mount message and the tape on (IEC705I) message.

OPEN sets the IEZDEB bit DEB2XEEF to indicate cartridge is encrypted.

It is also during OPEN processing where an indicator is sent to the control unit to indicate whether in-band or out-of-band key management should be used.

During the CLOSE processing, for an encrypted volume, the key encrypting key (KEK) labels and encoding mechanism are passed to the File End on Volume tape installation exit. Therefore, the tape management system can record the key labels associated with the volume. CLOSE processing obtains the key labels from the drive to pass them to the tape management system through the File End on Volume Tape Installation Exit.

During the EOV processing, for an encrypted volume, the key encrypting key (KEK) labels and the key encoding method are obtained from the drive to ensure that the same encryption information applies to each volume of the multi-volume data set and passes this information to the drive on the subsequent mount.

In these situations, no additional changes are needed (other than to indicate in-band or out-of-band key management). The drive automatically detects that the volume is encrypted and initiates a key request with the Encryption Key Manager to have the externally encrypted data key (EEDK) decrypted.
  • When an existing data set is opened for INPUT (read).
  • When an existing data set is opened for OUTPUT and appended (DISP=MOD).
  • When an additional file sequence is written to the volume.
The key labels and encoding type are stored in an extended information segment type 7 of the SMF14/15 record. This output is the macro for the SMF14/15 change: 
*              THIS DESCRIBES THE KEK LABELS AND ENCODING    
*              MECHANISMS FOR A TAPE DATA ENCRYPTED DATA SET.
*              THIS SECTION HAS A TYPE OF 7.                 
*                                                            
SMF14ENC EQU   *         TAPE ENCRYPTION DATA SECTION        
SMF14KL1 DS    CL64' '   KEY LABEL 1                         
SMF14CD1 DS    CL1' '    ENCODING MECHANISM FOR KEY LABEL 1  
SMF14KL2 DS    CL64' '   KEY LABEL 2                         
SMF14CD2 DS    CL1' '    ENCODING MECHANISM FOR KEY LABEL 2

In addition to these SMF 14/15 fields, APAR OA19502 added the field SMF14KET. This field displays the key exchange time in hundredths of seconds. The key exchange (encryption overhead) time is only applicable for the SMF 15 output record and only for non-parallel open processing when writing file sequence 1 from loadpoint. Otherwise this value is set to zero.