SET ENCRYPT
Authorization
Privilege Class: A
Purpose
Use SET ENCRYPT to enable or disable host level encryption for the z/VM® hypervisor if the appropriate hardware support is available to the LPAR.
Operands
- PAGing
- indicates the hypervisor function modified by this command is CP paging of guest memory and virtual-disk-in-storage (VDISK).
- OFF
- disables the host encryption for the hypervisor function indicated. You cannot use this operand if the ENCRYPT value was previously set to REQUIRED (via either the SET ENCRYPT command or the ENCRYPT configuration statement).
- ON
- enables host encryption for the hypervisor function indicated, if appropriate hardware is available. You cannot use this operand if the ENCRYPT value was previously set to REQUIRED (via either the SET ENCRYPT command or the ENCRYPT PAGING system configuration statement).
- REQUIRED
- enables host encryption for the hypervisor function indicated, if appropriate hardware is available, and locks this setting until the next system IPL. That is, once you set the ENCRYPT value to REQUIRED, the SET ENCRYPT command cannot be used for this CP function.
- ALGorithm
- Specifies the symmetric encryption cipher to be used by this host function. All algorithms currently supported require a specific level of CPACF (hardware feature 3863) to be enabled for the system. For more information, see z/VM: Migration Guide.
- AES128
- AES192
- AES256
- indicates the Advanced Encryption Standard (AES) algorithm is to be used for this hypervisor function, in Cipher Block Chaining (CBC) mode. The key length in bits determines the strength of the encryption to be performed.
Usage Notes
- A value for ALGORITHM can be selected only when ENCRYPT PAGING is enabled for the first time. The algorithm can be set either with the SET ENCRYPT command or with the ENCRYPT statement in the system configuration file. Once an algorithm is selected, it cannot be changed without a system IPL.
- The algorithm must always match any previously selected value. SET ENCRYPT returns an error if a different algorithm is requested.
- The system operator receives an informational message after a successful SET ENCRYPT command if there is a change in encryption status.
- Caution should be exercised when using the REQUIRED option, because after using this option further changes are not permitted until the next system IPL. For more information, see Pervasive Encryption for z/VM in z/VM: CP Planning and Administration.
- Enabling encryption will increase CPU utilization relative to the strength of the encryption algorithm selected. For more information, see Major Factors Affecting Performance in z/VM: Performance.
Responses
Response 1:
Encrypt Paging set on to algorithm AES192
Encrypt Paging Settings:
Currently: On AES192
At IPL: Off
This
response is issued when ON is specified with a valid algorithmic value.Response 2:
This
response is issued when encryption has never been enabled.
Encrypt Paging set off
Encrypt Paging Settings
Currently: Off
At IPL: Off
Response
3:
HCPENC1394I Encryption of paging changed from {on|off} to {on|off|required},
[with algorithm AESnnn,] by user userid
This
message is issued to the primary system operator when a user ID other than the system operator uses
SET ENCRYPT to change the state of host-level encryption of a particular function. This message does
not require operator intervention, but should be noted for auditing and automation purposes.
Messages
- HCP002E Invalid operand - operand
- HCP003E Invalid option - {option|command contains extra option(s) starting with option}
- HCP026E Operand missing or invalid
- HCP1390E Encrypt Paging cannot be enabled due to missing hardware support
- HCP1391E Encryption algorithm previously set to algorithm; no change made
- HCP1392E Encrypt Paging is required; no change made
- HCP1394I Encryption of paging changed from state to state, [with algorithm algorithm,] by user userid
- HCP2768E Missing algorithm type