Encryption methods

You can use InfoSphere® Guardium Data Encryption to create an encryption method to encrypt your data. Several options for encryption methods are available to meet the specific needs of your environment.

The encryption method that you create is linked with one of the different InfoSphere Guardium Data Encryption encryption methods that are provided with the product. The different InfoSphere Guardium Data Encryption encryption methods use Integrated Cryptographic Service Facility (ICSF), callable services, or z/Architecture Cipher instructions to encrypt the data. Data is encrypted by using a key that is managed by ICSF.

Cryptographic key encryption methods

Each InfoSphere Guardium Data Encryption encryption method uses ICSF callable services to support one or more of the following encryption methods for the cryptographic key label:

CPACF protected key: A high performance key encryption method type that is available on IBM® System z10® Enterprise Class GA3 and later mainframes. A CPACF protected key is not visible to applications or to the operating system during encryption.
Clear key with CPACF protected key wrapping: A high performance key encryption method type that is available on IBM System z10 Enterprise Class GA3 and later mainframes. A clear key with CPACF protected key wrapping uses an ICSF defined clear key, which is encrypted by using a CPACF instruction and an LPAR wrapping key. The resulting encrypted token is available in the user address space.
Clear key: A key type that is available on IBM zSeries z990, IBM zSeries z890, and later mainframes. A clear key is not encrypted under another key.
Secure key: A key that is encrypted under a master key. The secure key never exists unencrypted outside of the cryptographic coprocessor.
Secure key with CPACF protected key wrapping: A high performance key encryption method type that is available on IBM System z10 Enterprise Class GA3 and later mainframes. This option is made available through the application of the PTF for APAR OA50450 applied to FMID HCR77B1, HCR77B0, HCR77A1, and HCR77A0.; A secure key with CPACF protected key wrapping uses an ICSF defined secure key, which is encrypted by using a CPACF instruction and an LPAR wrapping key. The resulting encrypted token is available in the user address space.

RACF enables you to restrict access to ICSF managed keys and authorize an ICSF-defined secure key to be used as an ICSF protected key. InfoSphere Guardium Data Encryption processing has no control over the security environment that is used when ICSF performs an authorization check. In some cases, the security environment that is used for the authorization check will be different from the security environment that is associated with the user who makes the request. For more information about how to use RACF to authorize users of specific key labels, see Using RACF to Protect Keys and Services on the IBM Knowledge Center: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/ctl.htm#ctl.

For more information about protected keys, see the z/OS Cryptographic Services ICSF Administrator’s Guide, Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/enuenc.htm.

For more information about creating keys by using KGUP, see the z/OS Cryptographic Services ICSF Administrator’s Guide, Using KGUP Panels: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.csfb300/csfb300_Using_KGUP_Pa

The following tables show the relationships between the InfoSphere Guardium Data Encryption encryption methods and the types of cryptographic key label encryption. Performance results might vary in your environment.

Table 1. Key encryption methods provided by DB2 edit procedures
InfoSphere Guardium Data Encryption exit routine for DB2®	Key encryption	Sample member	Performance
DECENA00	Clear key	DECDB2CK	Lowest overhead, best performance
DECENAA0	CPACF-wrapped secure or clear key	DECDB2XK	Lowest overhead, best performance
DECENB00	CPACF protected key	DECDB2CL	Low overhead, good performance
DECENBI0	CPACF protected key plus unique Initial Chaining Vector (ICV) generation	DECDB2CL	Low overhead, good performance
DECENC00	Secure key	DECDB2JB and DECDB2SK	Most overhead, most latency
DECENCA0	Secure key plus AES	DECDB2JB	Most overhead, most latency

Table 2. Key encryption methods provided by DB2 field procedures
InfoSphere Guardium Data Encryption exit routine for DB2	Key encryption	Sample member	Performance
DECENF00	CPACF protected key	DECDBFCL	Low overhead, good performance

Table 3. Key encryption methods provided by DB2 User Defined Function
InfoSphere Guardium Data Encryption exit routine for DB2	Key encryption	Sample member	Performance
DECENU00	CPACF protected key	DECDB2UD	Low overhead, good performance
DECENUI0	CPACF protected key	DECDB2UD and DECUXUDF (sample SQL statements)	Low overhead, good performance
DECENUP0	CPACF protected key	DECDB2UD	Low overhead, good performance
DECENUBL	CPACF protected key	DECDB2UD	Low overhead, good performance

Table 4. Key encryption methods provided by IMS exit routines
InfoSphere Guardium Data Encryption exit routine for IMS™	Key encryption	Sample member	Performance
DECENA01	Clear key	DECIMSCK	Lowest overhead, best performance
DECENAA1	CPACF-wrapped secure key or clear key with CPACF protected key wrapping Batch ICSF CHECKAUTH recurring bypass	DECIMSCB	Low overhead, good performance
DECENB01	CPACF protected key	DECIMSCB	Low overhead, good performance
DECENBB1	CPACF-wrapped secure key or CPACF protected key with batch ICSF CHECKAUTH recurring bypass	DECIMSCB	Low overhead, good performance
DECENC01	Secure key	DECIMSJB	Most overhead, most latency

If you are operating on an earlier mainframe than the System z10 Enterprise Class GA3, the DECENB01 exit routine can be a clear key exit routine that supports the Advanced Encryption Standard (AES) up to 128-bit.

Important: DECENAA1 and DECENBB1 require the Guardium Data Encryption subsystem to run. For more information, see Setting up the Guardium Data Encryption subsystem.

Note:

The following DECENAA0, DECENAA1, and DECENBB1 restrictions apply:

If ICSF APAR OA50450 is installed:: DECENAA0, DECENAA1, and DECENBB1 will work with all clear key labels; DECENAA0 and DECENAA1 will only work with secure key labels that are defined with SYMCPACFWRAP(YES) and SYMCPACFRET(YES). DECENBB1 will work with secure key labels, but performance will be improved when using key labels that are defined with SYMCPACFWRAP(YES) and SYMCPACFRET(YES).
If ICSF APAR OA50450 is not installed:: DECENAA0, DECENAA1, and DECENBB1 will work with all clear key labels; With secure key labels, DECENAA0 and DECENAA1 will not work, and DECENBB1 performance will be degraded

The InfoSphere Guardium Data Encryption encryption methods encrypt and decrypt data differently. Some of the encryption methods employ Integrated Cryptographic Service Facility (ICSF) callable services to perform the processing. Others use the zSeries Cipher Message with Chaining (KMC) or Cipher Message with Feedback (KMF) hardware instruction. When KMC or KMF are used, the encryption key data is obtained by using an ICSF callable service.

Encryption method creation

Each encryption method that you create is linked with one of the InfoSphere Guardium Data Encryption methods and the corresponding ICSF callable service.

The following figure illustrates the process of creating an encryption method.

Figure 1. Process of creating an encryption method by using InfoSphere Guardium Data Encryption

This graphic shows how an encryption method is created. It depicts the relationship between the provided exit routines, the ICSF callable services, the encryption method, and the DB2 or IMS EXITLIB.

As the previous figure illustrates, an encryption method is created with this process:

An InfoSphere Guardium Data Encryption encryption method and the corresponding ICSF callable service are link-edited into the encryption method.
The AMASPZAP program puts the cryptographic key label into your encryption method.
Your encryption method is placed in the IMS or DB2 exit library.

Encryption standards

The following tables show the encryption standards that are supported by each of the InfoSphere Guardium Data Encryption encryption methods.

Table 5. Encryption standards supported by DB2 edit procedures
InfoSphere Guardium Data Encryption exit routine for DB2	Encryption algorithm
DECENA00	AES, Triple DES, or DES
DECENAA0	AES, Triple DES, or DES
DECENB00	AES
DECENBI0	AES
DECENC00	Triple DES, or DES
DECENCA0	AES

Table 6. Encryption standards supported by DB2 field procedures
InfoSphere Guardium Data Encryption exit routine for DB2	Encryption algorithm
DECENF00	AES

Table 7. Encryption standards supported by DB2 User Defined Function
InfoSphere Guardium Data Encryption exit routine for DB2	Encryption algorithm
DECENU00	AES
DECENUBL	AES
DECENUI0	AES
DECENUP0	AES

Table 8. Encryption standards supported by IMS exit routines
InfoSphere Guardium Data Encryption exit routine for IMS	Encryption algorithm
DECENA01	Triple DES or DES
DECENAA1	AES, DES, and Triple DES
DECENB01	AES
DECENBB1	AES
DECENC01	Triple DES or DES
Tip: To use a clear key, use either DECENA01 or DECENAA1. To use a CPACF-wrapped secure key, use either DECENAA1 or DECENBB1. Important: DECENAA1 and DECENBB1 require the Guardium Data Encryption subsystem to run. For more information, see Setting up the Guardium Data Encryption subsystem. Note: AES is supported, beginning with ICSF Release HCR7770, if an ICSF AES master key is defined.