Confidentiality of messages
Encrypting messages ensures that the contents of messages remains confidential. There are various methods of encrypting messages in IBM® MQ depending on your needs.
If you need application-level, end-to-end data protection for your point to point messaging infrastructure, you can use Advanced Message Security to encrypt the messages, or write your own API exit or API-crossing exit.
The most secure solution is to provide end-to-end encryption, by encrypting a message from the point it is put by an application, to the point where it is got by the consuming application. This can be done using Planning for Advanced Message Security (AMS) , or by writing your own API exit or API-crossing exit; see Implementing confidentiality in user exit programs for more information.
If you need to encrypt messages only while they are being transported over a network, you can use TLS; see TLS security protocols in IBM MQ for more information, or you can write your own security exit, message exit, or send and receive exit programs to perform encryption.
![[z/OS]](ngzos.gif)
![[MQ 9.2.0 Jul 2020]](ng920.gif)
If you need to encrypt messages at rest on a queue manager, you
can use z/OS® data set encryption on that queue
manager; see Confidentiality for data at rest on
IBM MQ for z/OS with data set encryption. for more
information.