The Encryption Facility for z/OS V1.1 (Program number: 5655-P97) applies the powerful encryption capabilities of the IBM mainframe to allow you to encrypt data to tape or disk, enabling sensitive information to be shared with your partners, suppliers and customers. Encryption Facility for z/OS consists of two priced optional features:

• The Encryption Services feature supports encrypting and decrypting certain file formats on z/OS. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. This feature supports hardware-accelerated compression before encryption.
  
  
• The DFSMSdss Encryption feature enables the encryption of DFSMSdss dump data sets. This feature supports hardware-accelerated compression before encryption to tape.

Both features can use the state-of-the-art encryption and centralized key management capabilities provided by functions of z/OS and features of System z9 and zSeries servers to help secure data stored to tape and other removable media.

Encryption Services feature

The Encryption Services feature can allow you to encrypt data written to tape and other removable media. This can help you share sensitive information across platforms with partners, vendors, and customers. You can also use the Encryption Services feature to encrypt certain files for archival. This feature can use the z/OS key management and access authentication capabilities provided within the Integrated Cryptographic Services Facility (ICSF) and the hardware compression and the hardware cryptographic capabilities of System z9 and zSeries servers.

The Encryption Services feature supports data encryption using TDES triple-length keys or 128-bit AES keys. RSA public/private keys can be specified to wrap and unwrap the AES and TDES data keys used to encrypt the file. The wrapped keys will be stored in a file header. With this technique, many files can be generated using different encryption keys, and each is expected to be able to be read even after years of archived storage. The Encryption Services feature also supports using a password key derivation scheme.

The Encryption Services feature supports inputs from physical sequential input files, from members of partitioned data sets (PDS) and partitioned data set extended (PDSE) data sets, and from files stored in z/OS UNIX System Services file systems. It can optionally compress input files before encrypting them and writing the output files. Also, it can use the large block interface for output files written to tape, to help optimise performance and media space.

DFSMSdss Encryption feature

The DFSMSdss Encryption feature can allow you to encrypt DFSMSdss dump data sets written to tape and DASD. This feature is designed to use the z/OS key management and access authentication capabilities and the hardware cryptographic and compression capabilities of System z9 and zSeries servers.

DFSMSdss Encryption supports encryption of data using TDES triple-length keys or 128-bit AES keys. Like the Encryption Services feature, this feature supports the use of RSA public/private keys to wrap and unwrap the AES and TDES data keys used to encrypt files as well as AES and TDES key generation using a specified password. You can also specify that DFSMSdss is to compress data before encrypting it.

The DFSMSdss Encryption feature includes two functions, one to encrypt data while processing DUMP commands, and the other to decrypt it while processing RESTORE commands.

Encryption Facility for z/OS Client

The Encryption Facility for z/OS Client, a separately licensed program (which is offered as is, with no warranty), is written in Java and can be used on multiple platforms. It is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on other platforms that provide the needed supported functions. The Encryption Facility for z/OS Client is designed to:

• Decrypt data that was created on a z/OS system using the Encryption Facility
  
  
• Encrypt data to be sent to a z/OS system, where the file will be decrypted using the Encryption Facility

Note: Data that is to be processed using the Encryption Facility Client cannot be created using compression.

Planned availability dates

• October 28, 2005: IBM Encryption Services feature
• October 28, 2005: Encryption Facility for z/OS Client (Web download)
• December 2, 2005: IBM DFSMSdss Encryption feature

Server and operating system requirements

The Encryption Facility for z/OS runs on the following IBM servers:

• System z9 109 (z9-109), or equivalent
• zSeries z900 or z990, or equivalent
• zSeries z800 or z890, or equivalent

The Encryption Facility for z/OS is supported on z/OS V1.4 and z/OS.e V1.4 and above.