Encryption Facility for z/OS

The Encryption Facility for z/OS (Program number: 5655-P97), first introduced in 2005, is a host based software solution designed to encrypt sensitive data before transferring it to tape for archival purposes or business partner exchange. In addition to writing encrypted data to tape, the Encryption Facility for z/OS can also be used to produce encrypted data written to disk and other removable media.

Encryption Facility for z/OS consists of two priced optional features:

• The Encryption Services feature supports encrypting and decrypting certain file formats on z/OS. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. The Encryption Services feature supports both the System z format (originally introduced in Encryption Facility for z/OS V1.1) and the OpenPGP format (new with Encryption Facility for z/OS V1.2). The System z format supports hardware-accelerated compression before encryption.
  
  
• The DFSMSdss Encryption feature enables the encryption of DFSMSdss dump data sets. This feature supports hardware-accelerated compression before encryption to tape.

Also available is the IBM Encryption Facility for z/OS Client. The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on z/OS and other platforms that needed the supported functions.

The Encryption Facility for z/OS Client consists of the following:

• Java-based Client. The Java-based Client which can be used on z/OS and any platform that supports Java. The Java-based Client supports both the decryption of data that was created on a z/OS system using the Encryption Facility System z format, as well as encryption of data to be sent to a z/OS system where the file will be decrypted using the Encryption Facility System z format.
  
  Data that is to be processed using the Java-based Client cannot be created using compression.
  
  
• Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The Decryption Client for z/OS supports decryption of data that was created on a z/OS system using the Encryption Facility System z format. Data that is to be processed using the Decryption Client for z/OS can be created using compression. The Decryption Client does not support data encryption for the return trip. This option may have performance benefits and require less media for exchange purposes but does not allow your business partner to return the data to you in an encrypted format.

Encryption Facility for z/OS V1.2

With Encryption Facility for z/OS V1.2 the Encryption Services feature has been enhanced to support the OpenPGP standard, RFC 4880. OpenPGP is a standard protocol for ensuring the integrity of data that can be exchanged between trusted partners. It defines the following requirements and suggested practices for data integrity:

• Digital signatures for partner authentication and to help ensure that a transferred message has been sent by the party claiming to have sent the message (non-repudiation).
  
  
• Data encryption using a randomly generated symmetric session key. The randomly generated session key is encrypted with public key or passphrase-based encryption and prefixed to the encrypted data.
  
  
• OpenPGP certificates for the exchange of key information that can provide the data integrity service.

OpenPGP support

The Encryption Facility for OpenPGP support is intended to provide you even more choice and flexibility for doing business partner data exchanges -- giving you the ability to leverage one or more of these options for handling business partner data exchanges. You now have the flexibility to choose the option that best suits your needs and some of these options do not require your business partners to purchase new storage hardware, have a mainframe or run z/OS.

The Encryption Facility for OpenPGP support is designed to comply with OpenPGP standard requirements and is designed to be compatible with other products that are OpenPGP (RFC 4880)-compliant. This support allows you to exchange an encrypted, compressed, and/or digitally signed file between your internal data centers using the Encryption Facility for OpenPGP support in conjunction with your external business partners and vendors who have an installed OpenPGP (RFC 4880)-compliant client running on z/OS and other operating systems. The Encryption Facility for OpenPGP support includes the mandatory/must-do's identified in the OpenPGP standard (RFC 4880).

The Encryption Facility for OpenPGP support includes, but is not limited to:

• Passphrase base encryption of session key
  
  
• Digital signatures of data
  
  
• Importing/exporting of OpenPGP certificates (V3 and V4 for importing, only export V4, unless exporting an imported V3 key)
  
  
• RSA¹, ElGamal, and DSA¹ key generation
  
  
• Use of partial data packets
  
  
• ASCII Armor for OpenPGP certificates
  
  
• Data encryption with a randomly generated symmetric session key using AES 128¹, 192, and 256 bit keys, Triple-DES¹, and Blowfish algorithms²
  
  
• Symmetric encryption of randomly generated symmetric session key using AES 128¹, 192, and 256 bit keys, Triple-DES¹, and Blowfish algorithms²
  
  
• Asymmetric encryption of randomly generated symmetric keys using RSA¹ and ElGamal algorithms
  
  
• Compression using ZIP and ZLIB algorithms
  
  
• Digest/Hash using SHA-1¹, MD5¹, MD2¹, SHA-256¹, SHA-384, SHA-512 algorithms
  
  
• Digital Signature using DSA with SHA1¹ and RSA (with all supported hashes listed above)¹ algorithms

Notes:

1. These functions can leverage the Integrated Cryptographic Services Facility (ICSF) and H/W cryptography. H/W cryptography requires the correct environment and may require a Cryptographic module to be installed.
   
   
2. The symmetric algorithms are not fully implemented in the H/W. The symmetric algorithms listed require an update to ICSF that will be provided with general availability of Encryption Facility for z/OS V1.2.

Encryption Facility for OpenPGP is also able to leverage X.509 standards for public key infrastructure (PKI) to extend the basis of trust for OpenPGP environments. Encryption Facility for OpenPGP also allows you to leverage the existing security facilities of z/OS to help provide a security-rich and scalable OpenPGP client.

For example, with Encryption Facility for OpenPGP you can do the following:

• Use as input or output HFS/zFS files or z/OS partitioned (PDS and PDS/E) or sequential data sets
  
  
• Perform cryptographic acceleration with certain kinds of System z hardware
  
  
• Use Security Server Resource Access Control Facility (RACF) and ICSF key repositories

To implement Encryption Facility for OpenPGP services, you must use the IBM Java Development Kit.

With the addition of the Encryption Facility for OpenPGP support in V1.2, you now have two formats to choose from for handling your encryption needs when doing business partner data exchanges or for data exchanges within your own enterprise. The Encryption Facility System z format, first introduced in the Encryption Services feature in Encryption Facility for z/OS V1.1, continues to be provided in the Encryption Services feature in V1.2. Note that the functions and services supported by the Encryption Facility for OpenPGP format are not compatible with the functions and services of the Encryption Facility System z format. Both the Java-based Client and Decryption Client for z/OS support the System z format only.

The Encryption Facility for OpenPGP format support will consume more CP than the Encryption Facility System z format support. It can be configured to leverage multiple CPs via increased parallel processing. The impact of the increased CPU utilization for the Encryption Facility for OpenPGP format support can be reduced with the introduction of zAAP processors. Since the OpenPGP format support is written in Java, all of the workload will be zAAP processor enabled and eligible. Thus for certain configurations, such as four or more online CPUs, the OpenPGP support's elapsed time for a task may compare favorably to that of the Encryption Facility System z format support.

In summary, both formats can use the same z/OS centralized key management and allow the use of public/private key pairs or passphrases to help secure the data exchange between partners. Using the Encryption Facility System z format is likely more suitable for data exchanges when System z processor activity is a key consideration. Using the Encryption Facility OpenPGP format may be better suited when operability with your business partners is a key consideration. You will want to review the business partner data exchange options with your business partners to determine the most suitable options.

Planned availability dates

• October 28, 2005: IBM Encryption Services feature
• October 28, 2005: Encryption Facility for z/OS Client V1.1 (Web download — No longer available)
• December 2, 2005: IBM DFSMSdss Encryption feature
• June 20, 2006: Encryption Facility for z/OS Client V1.2 (Web download)
• March 16, 2007: Encryption Facility for z/OS V1.2

Server and operating system requirements

The Encryption Facility for z/OS runs on the following IBM servers:

• System z9 EC (or z9-109), or equivalent
• System z9 BC, or equivalent
• zSeries z900 or z990, or equivalent
• zSeries z800 or z890, or equivalent

Encryption Facility for z/OS V1.2 is supported on:

• z/OS V1.6 or higher
• z/OS.e V1.6 through z/OS.e V1.8

For more details see the Encryption Facility for z/OS V1.2 announcement letter.