SET ENCRYPT

Read syntax diagramSkip visual syntax diagram SET ENCRYPT PAGING OFFONREQuiredALGORITHM AES256ALGorithmAES128AES192AES256 1
Notes:
  • 1 ALGORITHM must always match any previously selected value. See Usage Notes for more information.

Authorization

Privilege Class: A

Purpose

Use SET ENCRYPT to enable or disable host level encryption for the z/VM® hypervisor if the appropriate hardware support is available to the LPAR.

Operands

PAGing
indicates the hypervisor function modified by this command is CP paging of guest memory and virtual-disk-in-storage (VDISK).
OFF
disables the host encryption for the hypervisor function indicated. You cannot use this operand if the ENCRYPT value was previously set to REQUIRED (via either the SET ENCRYPT command or the ENCRYPT configuration statement).
ON
enables host encryption for the hypervisor function indicated, if appropriate hardware is available. You cannot use this operand if the ENCRYPT value was previously set to REQUIRED (via either the SET ENCRYPT command or the ENCRYPT PAGING system configuration statement).
REQUIRED
enables host encryption for the hypervisor function indicated, if appropriate hardware is available, and locks this setting until the next system IPL. That is, once you set the ENCRYPT value to REQUIRED, the SET ENCRYPT command cannot be used for this CP function.
ALGorithm
Specifies the symmetric encryption cipher to be used by this host function. All algorithms currently supported require a specific level of CPACF (hardware feature 3863) to be enabled for the system. For more information, see z/VM: Migration Guide.
AES128
AES192
AES256
indicates the Advanced Encryption Standard (AES) algorithm is to be used for this hypervisor function, in Cipher Block Chaining (CBC) mode. The key length in bits determines the strength of the encryption to be performed.

Usage Notes

  1. A value for ALGORITHM can be selected only when ENCRYPT PAGING is enabled for the first time. The algorithm can be set either with the SET ENCRYPT command or with the ENCRYPT statement in the system configuration file. Once an algorithm is selected, it cannot be changed without a system IPL.
  2. The algorithm must always match any previously selected value. SET ENCRYPT returns an error if a different algorithm is requested.
  3. The system operator receives an informational message after a successful SET ENCRYPT command if there is a change in encryption status.
  4. Caution should be exercised when using the REQUIRED option, because after using this option further changes are not permitted until the next system IPL. For more information, see Pervasive Encryption for z/VM in z/VM: CP Planning and Administration.
  5. Enabling encryption will increase CPU utilization relative to the strength of the encryption algorithm selected. For more information, see Major Factors Affecting Performance in z/VM: Performance.

Responses

Response 1:

Encrypt Paging set on to algorithm AES192
Encrypt Paging Settings:
     Currently: On AES192
     At IPL: Off
This response is issued when ON is specified with a valid algorithmic value.
Response 2:

Encrypt Paging set off
Encrypt Paging Settings
     Currently: Off
     At IPL: Off    
This response is issued when encryption has never been enabled.
Response 3:
HCPENC1394I Encryption of paging changed from {on|off} to {on|off|required},
[with algorithm AESnnn,] by user userid
This message is issued to the primary system operator when a user ID other than the system operator uses SET ENCRYPT to change the state of host-level encryption of a particular function. This message does not require operator intervention, but should be noted for auditing and automation purposes.

Messages

  • HCP002E Invalid operand - operand
  • HCP003E Invalid option - {option|command contains extra option(s) starting with option}
  • HCP026E Operand missing or invalid
  • HCP1390E Encrypt Paging cannot be enabled due to missing hardware support
  • HCP1391E Encryption algorithm previously set to algorithm; no change made
  • HCP1392E Encrypt Paging is required; no change made
  • HCP1394I Encryption of paging changed from state to state, [with algorithm algorithm,] by user userid
  • HCP2768E Missing algorithm type