IBM Support

How to Set up Encryption Environment to Perform Software Encryption

Troubleshooting


Problem

This document explains how to set up an encryption environment.

Resolving The Problem

Starting with R610, it is possible to use software encryption with BRMS as indicated in the TECHDOC N1018803 "Using BRMS to Encrypt Data"

To set up the environment, it is necessary to create master key, create keystore file, generate a keystore file entry, and then create a media policy that will use the environment created.

To create all the above from green screen, you can do the following:

1.Add master key part: ADDMSTPART MSTKEY(1) PASSPHRASE(put your Passphrase here)
2.Set master key: SETMSTKEY MSTKEY(1)

It is possible to check master KVV with command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT)
3.Create keystore file: CRTCKMKSF KEYSTORE(QUSRBRM/Q1AKEYFILE) MSTKEY(1) AUT(*LIBCRTAUT)

Note: As indicated in Backup, Recovery, and Media Services for i5/OS, SC41-5345-06, the only valid keystore file is Q1AKEYFILE, and it must exist in library QUSRBRM. This ensures that when saving media information using your control group or the SAVMEDIBRM command, the key file is also saved.
4.Generate keystore file entry: GENCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(BRMSTEST) KEYTYPE(*AES) KEYSIZE(32)

Note: 1. Record label must be in capital letters; otherwise, the save will end with message CPF670A - Incorrect encryption key information specified.
2. The type of AES (128, 192, or 256 bits) is controlled by the options selected when the key store file is created:16 = 128 bit, 24 = 192 bit, 32 = 256 bit
5.



Create Media Policy specifying the following parameters:

Encrypt Data . . . . . . . . . . : *YES
Key store file . . . . . . . . : Q1AKEYFILE
Key store library. . . . . . . : QUSRBRM
Key record label . . . . . . . : BRMSTEST
These five steps are the minimum steps required to set up the encryption environment. If you will use a control group, it is also necessary to specify that an encrypted save should be performed. To do that, edit the control group and press F11 two times to set the encrypt parameter to *MEDPCY for each backup item you want encrypted. The default value is *NO and no data will be encrypted if these changes are not made. Encrypting backup media causes extra processing and can cause the backup to run slower.



Additional Information:
  1. Using command WRKMEDIBRM followed by F11 three times, it is possible to understand if backup was performed using software encryption.
  2. CPF670A with condition code 4 will be received if 57xxSS1 option 44 - Encrypted Backup Enablement is not installed.

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

520009834

Document Information

Modified date:
18 December 2019

UID

nas8N1018617