Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Forum Index
 
Register
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
What is the purpose of z/OS dataset encryption?

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1657
Location: Tirupur

PostPosted: Fri Aug 31, 2018 12:56 am    Post subject: What is the purpose of z/OS dataset encryption?
Reply with quote

Hi, I think with z/OS 2.2 we have the optional feature of 'Dataset Encryption'.

This link - https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idak100/encryption23.htm
says,
Quote:
With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear.

If the underlying hard disks are already hardware encrypted(lets say VMAX with back-end encryption), then why do we need dataset encryption.
Quote:
It also says "With z/OS data set encryption, you can encrypt data without requiring application changes."

I believe this means that any job/ISPF/program would be able to read the encrypted dataset unhindered, as same as the unencrypted version.
Then why do we need this? RACF already guards access requests from programs, JCL, etc.

We have not enabled dataset encryption yet, but trying to understand its capability.
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.

Regards,
Vasanth.S
Back to top
View user's profile Send private message

Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8500
Location: Dubuque, Iowa, USA

PostPosted: Fri Aug 31, 2018 1:20 am    Post subject: Reply to: What is the purpose of z/OS dataset encryption?
Reply with quote

Quote:
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.
If you send data (such as a tape) offsite (to a disaster recovery facility, for example, or to an offsite storage company), data set encryption can protect that data even if it is stolen while travelling to or from the offsite location. If that tape is loaded on another system, it is not that hard to be able to read it (with or without standard labels) -- unless the data is encrypted. In such a case, RACF would not be doing anything to protect the tape data since it is on a completely different system without the RACF rules you're used to.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1657
Location: Tirupur

PostPosted: Fri Aug 31, 2018 1:54 am    Post subject:
Reply with quote

Thanks Robert, I understand to some extent how it applies to tape.
But would this still apply, if the tapes are all virtual tapes and then the underlying hard disks are hardware encrypted.
Even if someone breaks into a datacenter and steals a bunch of hard disks, they still would not be able to read them, since its encrypted at hard disk level.
It need not be dataset level right?
Back to top
View user's profile Send private message
dneufarth

Active User


Joined: 27 Apr 2005
Posts: 299
Location: Cincinnati OH USA

PostPosted: Fri Aug 31, 2018 2:22 am    Post subject:
Reply with quote

May protect different LPARS from viewing certain datasets on shared dasd.

Google search on "why z/os encryption for datasets" revealed some applicable ideas/reasons.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts DFSMShsm Dataset Recovery with B and ... Joerg.Findeisen JCL & VSAM 2 Sat Oct 05, 2019 10:01 pm
No new posts Organization of a migrated dataset saravanakmr.tpr All Other Mainframe Topics 2 Fri Sep 20, 2019 6:10 pm
No new posts TSO TEST writing to dataset Harold Barnes IBM Tools 3 Sat Aug 03, 2019 3:02 am
No new posts Unable to delete dataset - VSAM datas... netcrawler JCL & VSAM 20 Fri Jul 26, 2019 2:06 pm
No new posts Placement of an LPALIB dataset for IPL Alan Playford JCL & VSAM 3 Sun May 12, 2019 5:50 pm

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us