Encryption Facility for z/OS

The Encryption Facility for z/OS (Program number: 5655-P97), first introduced in 2005, is a host based software solution designed to encrypt sensitive data before transferring it to tape for archival purposes or business partner exchange. In addition to writing encrypted data to tape, the Encryption Facility for z/OS can also be used to produce encrypted data written to disk and other removable media.

Encryption Facility for z/OS consists of two priced optional features:

  • The Encryption Services feature supports encrypting and decrypting certain file formats on z/OS. This can allow you to transfer them to remote sites within your enterprise, transfer them to partners and vendors, and archive them. The Encryption Services feature supports both the System z format (originally introduced in Encryption Facility for z/OS V1.1) and the OpenPGP format (new with Encryption Facility for z/OS V1.2). The System z format supports hardware-accelerated compression before encryption.
  • The DFSMSdss Encryption feature enables the encryption of DFSMSdss dump data sets. This feature supports hardware-accelerated compression before encryption to tape.

Also available is the IBM Encryption Facility for z/OS Client. The Encryption Facility for z/OS Client is a no-cost, separately licensed program (which is offered as is, with no warranty) and is designed to enable the exchange of encrypted data between z/OS systems that have the Encryption Facility installed and systems running on z/OS and other platforms that needed the supported functions.

The Encryption Facility for z/OS Client consists of the following:

  • Java-based Client. The Java-based Client which can be used on z/OS and any platform that supports Java. The Java-based Client supports both the decryption of data that was created on a z/OS system using the Encryption Facility System z format, as well as encryption of data to be sent to a z/OS system where the file will be decrypted using the Encryption Facility System z format.
    Data that is to be processed using the Java-based Client cannot be created using compression.
  • Decryption Client for z/OS. The Decryption Client for z/OS is supported on z/OS systems only. The Decryption Client for z/OS supports decryption of data that was created on a z/OS system using the Encryption Facility System z format. Data that is to be processed using the Decryption Client for z/OS can be created using compression. The Decryption Client does not support data encryption for the return trip. This option may have performance benefits and require less media for exchange purposes but does not allow your business partner to return the data to you in an encrypted format.

Encryption Facility for z/OS V1.2

With Encryption Facility for z/OS V1.2 the Encryption Services feature has been enhanced to support the OpenPGP standard, RFC 4880 (requires PTF UA67855). OpenPGP is a standard protocol for ensuring the integrity of data that can be exchanged between trusted partners. It defines the following requirements and suggested practices for data integrity:

  • Digital signatures for partner authentication and to help ensure that a transferred message has been sent by the party claiming to have sent the message (non-repudiation).
  • Data encryption using a randomly generated symmetric session key. The randomly generated session key is encrypted with public key or passphrase-based encryption and prefixed to the encrypted data.
  • OpenPGP certificates for the exchange of key information that can provide the data integrity service.

OpenPGP support

The Encryption Facility for OpenPGP support is intended to provide you even more choice and flexibility for doing business partner data exchanges -- giving you the ability to leverage one or more of these options for handling business partner data exchanges. You now have the flexibility to choose the option that best suits your needs and some of these options do not require your business partners to purchase new storage hardware, have a mainframe or run z/OS.

The Encryption Facility for OpenPGP support is designed to comply with OpenPGP standard requirements and is designed to be compatible with other products that are OpenPGP (RFC 4880)-compliant. This support allows you to exchange an encrypted, compressed, and/or digitally signed file between your internal data centers using the Encryption Facility for OpenPGP support in conjunction with your external business partners and vendors who have an installed OpenPGP (RFC 4880)-compliant client running on z/OS and other operating systems. The Encryption Facility for OpenPGP support includes the mandatory/must-do's identified in the OpenPGP standard (RFC 4880).

The Encryption Facility for OpenPGP support includes, but is not limited to:

  • Passphrase base encryption of session key
  • Digital signatures of data
  • Importing/exporting of OpenPGP certificates (V3 and V4 for importing, only export V4, unless exporting an imported V3 key)
  • RSA¹, ElGamal, and DSA¹ key generation
  • Use of partial data packets
  • ASCII Armor for OpenPGP certificates
  • Data encryption with a randomly generated symmetric session key using AES 128¹, 192, and 256 bit keys, Triple-DES¹, and Blowfish algorithms²
  • Symmetric encryption of randomly generated symmetric session key using AES 128¹, 192, and 256 bit keys, Triple-DES¹, and Blowfish algorithms²
  • Asymmetric encryption of randomly generated symmetric keys using RSA¹ and ElGamal algorithms
  • Compression using the ZIP and ZLIB algorithms, and leveraging zEnterprise Data Compression (zEDC) when available3
  • Digest/Hash using SHA-1¹, MD5¹, MD2¹, SHA-256¹, SHA-384, SHA-512 algorithms
  • Digital Signature using DSA with SHA1¹ and RSA (with all supported hashes listed above)¹ algorithms

Notes:

  1. These functions can leverage the Integrated Cryptographic Services Facility (ICSF) and H/W cryptography. H/W cryptography requires the correct environment and may require a Cryptographic module to be installed.
  2. The symmetric algorithms are not fully implemented in the H/W. The symmetric algorithms listed require an update to ICSF that will be provided with general availability of Encryption Facility for z/OS V1.2.
  3. The zEnterprise Data Compression (zEDC) requires the zEDC Express feature (FC#0420) and zEC12 (with Driver 15E) or zBC12 with one coprocessor per PCIe I/O feature.  This support also requires the IBM 31-bit SDK for z/OS, Java Technology Edition, Version 7 Release 1 or later and z/OS V2.1 with zEDC for z/OS feature.

Encryption Facility for OpenPGP is also able to leverage X.509 standards for public key infrastructure (PKI) to extend the basis of trust for OpenPGP environments. Encryption Facility for OpenPGP also allows you to leverage the existing security facilities of z/OS to help provide a security-rich and scalable OpenPGP client.

For example, with Encryption Facility for OpenPGP you can do the following:

  • Use as input or output HFS/zFS files or z/OS partitioned (PDS and PDS/E) or sequential data sets
  • Perform cryptographic acceleration with certain kinds of System z hardware
  • Use Security Server Resource Access Control Facility (RACF) and ICSF key repositories

To implement Encryption Facility for OpenPGP services, you must use the IBM Java Development Kit.

With the addition of the Encryption Facility for OpenPGP support in V1.2, you now have two formats to choose from for handling your encryption needs when doing business partner data exchanges or for data exchanges within your own enterprise. The Encryption Facility System z format, first introduced in the Encryption Services feature in Encryption Facility for z/OS V1.1, continues to be provided in the Encryption Services feature in V1.2. Note that the functions and services supported by the Encryption Facility for OpenPGP format are not compatible with the functions and services of the Encryption Facility System z format. Both the Java-based Client and Decryption Client for z/OS support the System z format only.

The Encryption Facility for OpenPGP format support will consume more CP than the Encryption Facility System z format support. It can be configured to leverage multiple CPs via increased parallel processing. The impact of the increased CPU utilization for the Encryption Facility for OpenPGP format support can be reduced with the introduction of zAAP processors. Since the OpenPGP format support is written in Java, all of the workload will be zAAP processor enabled and eligible. Thus for certain configurations, such as four or more online CPUs, the OpenPGP support's elapsed time for a task may compare favorably to that of the Encryption Facility System z format support.

In summary, both formats can use the same z/OS centralized key management and allow the use of public/private key pairs or passphrases to help secure the data exchange between partners. Using the Encryption Facility System z format is likely more suitable for data exchanges when System z processor activity is a key consideration. Using the Encryption Facility OpenPGP format may be better suited when operability with your business partners is a key consideration. You will want to review the business partner data exchange options with your business partners to determine the most suitable options.

Recent Encryption Facility Updates:

  • A new command, -compress, is added that compresses data in the OpenPGP message format without having to also encrypt or sign the data
  • zEDC HW Accelerated Compression
    • With PTF UA72250, Encryption Facility for z/OS has been enhanced to support zEnterprise Data Compression (zEDC) for OpenPGP messages. zEDC will be used for compression when a zEDC feature is available on the system and when using IBM 31-bit SDK for z/OS, Java Technology Edition, Version 7 Release 1 or later, with z/OS 2.1
  • RFC 4880 Compatibility 
    • RFC 4880 replaced RFC 2440 as the latest standard for the OpenPGP Message Format
  • Supports Latest Java Releases
    • Provides additional compatibility for the IBM 31-bit SDK for z/OS, Java Technology Edition Version 7 (5655-W43)
  • Speculative Key ID Support 
    • Allows users to zero out the Key ID fields in their OpenPGP messages which helps prevent unauthorized users from obtaining the users public key ID
  • New Batch Key Generation/Public Key Export Commands 
    • The key generation and public key export commands can now be run as batch jobs, eliminating the need for manual user input
  • Enchanced Symmetrically Encrypted Integrity Protected Data Packet Support
    • Allows for multiple Public Key Enrypted Session Key Packets preceding a Symmetically Encrypted Integrity Protected Data Packet 
    • Allows for multiple recipients to be specified when using the Symmetically Encrypted Integrity Protected Data Packet
    • Allows for digital signatures to be generated by OpenPGP certificate sub-keys 
  • Notation Data Sub-Packets Containing Raw Binary Data Support
    • Previously only supported Notation Data Sub-Packets containing 'name' and 'value' data sections in UTF-8 human-readable text format
  • The latest level of Encryption Facility is available with APAR OA44304 (PTF  UA73009)

Availability dates

  • October 28, 2005: IBM Encryption Services feature
  • October 28, 2005: Encryption Facility for z/OS Client V1.1 (Web download — No longer available)
  • December 2, 2005: IBM DFSMSdss Encryption feature
  • June 20, 2006:Encryption Facility for z/OS Client V1.2 (Web download)
  • March 16, 2007: Encryption Facility for z/OS V1.2

Machine Requirements

IBM Encryption Facility for z/OS Version 1.2 runs on System z mainframes that are currently in service. As System z mainframe processor levels go out of service, Encryption Facility will no longer be supported with those levels and the user must upgrade to a level that is still in service.

Software Requirements

IBM Encryption Facility has the following software requirements:

  • z/OS
  • IBM 31-bit SDK for z/OS, Java Technology Edition
  • Integrated Cryptographic Services Facility (ICSF)

The minimum service levels for these software programs are V1.12 (5694-A01) or later for z/OS, V6 (5655-R31) or later for IBM 31-bit SDK for z/OS, and FMID HCR7770 or later for Integrated Cryptographic Services Facility. As service levels for each software program go out of service, Encryption Facility will no longer be supported with those levels and the user must upgrate to a service level that is still in service. 
 

For a list of currently supported z/OS releases, please refer to this page:    
     http://www-03.ibm.com/systems/z/os/zos/support/zos_eos_dates.html

For more details see the Encryption Facility for z/OS V1.2 announcement letter.

Contact IBM

Browse z/OS


Presentation on Securing Data

Compliance is driving encryption of sensitive information. Find out how.

Attend the replay

Technical documentation

Publications

IBM Redbooks

Mainframe security

Hot Topics