The encryption process
- Data Set Encryption in z/OS DFSMS Using Data Sets.
- Storage administration (STGADMIN) profiles in the FACILITY class in z/OS DFSMSdfp Storage Administration. It contains information about the STGADMIN.SMS.ALLOW.DATASET.ENCRYPT profile.
- Do not enable encryption for any file system until you migrate all of your systems to z/OS V2R3.
Because encryption is not supported before z/OS V2R3, all systems in a sysplex must be at least z/OS
V2R3 before encryption can begin. Also, do not begin the encryption process until you know that no
system will be regressed to an earlier release.
Decryption is supported. However, the decryption process does not remove key labels. File systems that have had key labels assigned cannot be mounted on a release prior to V2R3, even if those file systems have not been encrypted or are currently not encrypted. Therefore, if there is no zFS system in the shared file system environment that is eligible to own a file system with a key label assigned to it, the file system will be inaccessible.
- Version 1.4 aggregates cannot be encrypted.
- Key labels cannot be changed or removed after you assign them.
- You cannot encrypt or decrypt an aggregate that is in a partially compressed or partially decompressed state. In other words, if compression or decompression was stopped for an aggregate, you cannot encrypt or decrypt it until after the compression or decompression is completed.
- New file systems should be defined with the DFSMS extended format option.
Because encryption affects performance of file I/O paths, user file cache performance is important. Even though the default cache size is often sufficient, ensure that the zFS user cache is large enough. Also, consider pairing encryption with compression. If the compression is done first, the amount of data to be encrypted is smaller, which might slightly improve performance.
For any ICSF considerations when you enable encryption, see Starting and stopping ICSF in .