Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
What is the purpose of z/OS dataset encryption?

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1614
Location: Oregon

PostPosted: Fri Aug 31, 2018 12:56 am    Post subject: What is the purpose of z/OS dataset encryption?
Reply with quote

Hi, I think with z/OS 2.2 we have the optional feature of 'Dataset Encryption'.

This link - https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.idak100/encryption23.htm
says,
Quote:
With data set encryption, you are able to protect data residing on disk from being viewed by unauthorized users in the clear.

If the underlying hard disks are already hardware encrypted(lets say VMAX with back-end encryption), then why do we need dataset encryption.
Quote:
It also says "With z/OS data set encryption, you can encrypt data without requiring application changes."

I believe this means that any job/ISPF/program would be able to read the encrypted dataset unhindered, as same as the unencrypted version.
Then why do we need this? RACF already guards access requests from programs, JCL, etc.

We have not enabled dataset encryption yet, but trying to understand its capability.
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.

Regards,
Vasanth.S
Back to top
View user's profile Send private message

Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8390
Location: Dubuque, Iowa, USA

PostPosted: Fri Aug 31, 2018 1:20 am    Post subject: Reply to: What is the purpose of z/OS dataset encryption?
Reply with quote

Quote:
Simply put, how is it possible for someone to gain access to unencrypted dataset and not to an encrypted dataset.
If you send data (such as a tape) offsite (to a disaster recovery facility, for example, or to an offsite storage company), data set encryption can protect that data even if it is stolen while travelling to or from the offsite location. If that tape is loaded on another system, it is not that hard to be able to read it (with or without standard labels) -- unless the data is encrypted. In such a case, RACF would not be doing anything to protect the tape data since it is on a completely different system without the RACF rules you're used to.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1614
Location: Oregon

PostPosted: Fri Aug 31, 2018 1:54 am    Post subject:
Reply with quote

Thanks Robert, I understand to some extent how it applies to tape.
But would this still apply, if the tapes are all virtual tapes and then the underlying hard disks are hardware encrypted.
Even if someone breaks into a datacenter and steals a bunch of hard disks, they still would not be able to read them, since its encrypted at hard disk level.
It need not be dataset level right?
Back to top
View user's profile Send private message
dneufarth

Active User


Joined: 27 Apr 2005
Posts: 281
Location: Cincinnati OH USA

PostPosted: Fri Aug 31, 2018 2:22 am    Post subject:
Reply with quote

May protect different LPARS from viewing certain datasets on shared dasd.

Google search on "why z/os encryption for datasets" revealed some applicable ideas/reasons.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Zipping a mainframe dataset using OSH... raviyuvi All Other Mainframe Topics 12 Thu Sep 06, 2018 7:13 pm
No new posts IBM's FTP not working with TLS encryp... sathyajes TSO/ISPF 10 Tue Aug 21, 2018 1:37 pm
No new posts FILE versus DATASET jerryte All Other Mainframe Topics 9 Fri Jun 29, 2018 10:47 pm
No new posts Question about dataset sequence numbe... harisukumaran JCL & VSAM 23 Tue May 29, 2018 9:31 am
No new posts Temp dataset unusual behavior sheersh JCL & VSAM 5 Tue May 08, 2018 9:52 pm

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us