This document explains how to set up an encryption environment.
Resolving The Problem
Starting with R610, it is possible to use software encryption with BRMS as indicated in the TECHDOC N1018803 "Using BRMS to Encrypt Data"
To set up the environment, it is necessary to create master key, create keystore file, generate a keystore file entry, and then create a media policy that will use the environment created.
To create all the above from green screen, you can do the following:
|1.||Add master key part: ADDMSTPART MSTKEY(1) PASSPHRASE(put your Passphrase here)|
|2.||Set master key: SETMSTKEY MSTKEY(1) |
It is possible to check master KVV with command CHKMSTKVV MSTKEY(1) VERSION(*CURRENT)
|3.||Create keystore file: CRTCKMKSF KEYSTORE(QUSRBRM/Q1AKEYFILE) MSTKEY(1) AUT(*LIBCRTAUT) |
Note: As indicated in Backup, Recovery, and Media Services for i5/OS, SC41-5345-06, the only valid keystore file is Q1AKEYFILE, and it must exist in library QUSRBRM. This ensures that when saving media information using your control group or the SAVMEDIBRM command, the key file is also saved.
|4.||Generate keystore file entry: GENCKMKSFE KEYSTORE(QUSRBRM/Q1AKEYFILE) RCDLBL(BRMSTEST) KEYTYPE(*AES) KEYSIZE(32)|
Note: 1. Record label must be in capital letters; otherwise, the save will end with message CPF670A - Incorrect encryption key information specified.
2. The type of AES (128, 192, or 256 bits) is controlled by the options selected when the key store file is created:16 = 128 bit, 24 = 192 bit, 32 = 256 bit
|5.||Create Media Policy specifying the following parameters:|
Encrypt Data . . . . . . . . . . : *YES
Key store file . . . . . . . . : Q1AKEYFILE
Key store library. . . . . . . : QUSRBRM
Key record label . . . . . . . : BRMSTEST
- Using command WRKMEDIBRM followed by F11 three times, it is possible to understand if backup was performed using software encryption.
- CPF670A with condition code 4 will be received if 57xxSS1 option 44 - Encrypted Backup Enablement is not installed.
18 December 2019