Protecting keys stored with a file

You may want to store encrypted data in a file that is stored on DASD or on magnetic tape. For example, if you use a data-encrypting key to encrypt data in a file, you can store the data-encrypting key with the encrypted data. As is shown in Figure 1, you use an importer key-encrypting key to encrypt the data-encrypting key.

Figure 1. Keys protected in a file outside the system
REQTEXT

When you encipher a key under an importer key, the key is no longer enciphered under the master key and is no longer operational. You can store the key off the system because the key will not become obsolete if you change the master key. The importer key that protects the data-encrypting key is reenciphered under the correct master key during a master key change. Therefore, when enciphered under the importer key, the data-encrypting key is not directly affected by a master key change.

When you are ready to use the data-encrypting key, use ICSF to reencipher it from under the transport key to under the master key. This makes the data-encrypting key operational. You can then use the data-encrypting key to decrypt the data.