This link contains a sample job:
https://www.ibm.com/support/pages/idcams-repro-encipher-decipher-different-keysIt contains sample jobs for both encrypt and decrypt (but the issue being discussed had to do with parity of their DES keys).
Except for the description of DATAKEYVALUE, its not specifically stated, but IDCAMS only uses single DES keys:
DATAKEYVALUE(value)specifies the 8-byte value to be used as the plaintext data encrypting key to encipher the data.So, no one should be using this technology today. I am pretty sure IBM maintains this support strictly for compatibility ... just in case someone used it to encrypt data ages ago.
Greg
------------------------------
Greg Boyd
Consultant
Mainframe Crypto
Winchester, VA 22603
240-772-1539
gregboyd@mainframecrypto.com------------------------------
Original Message:
Sent: Wed September 22, 2021 12:12 PM
From: Colin Paice
Subject: Does anyone understand IDCAMS repro with encryption?
I'm not expecting anyone knows anything about this, as I think it is pre ICSF! (grin), but I thought I would ask
I know the documentation is based on pre ICSF, but I cant get it to work. I raised a doc comment on https://www.ibm.com/docs/en/zos/2.4.0?topic=parameters-cryptographic but they did not seem able to fix the wording.
Has anyone any experience of using this?
I got stuck on you specify a key which is used to encipher the data encrypting key! ( I think it means the data is encrypted with an instance specific key. This key is then encrypted with the key you specify, and the value is stored in the header at the front of the repro data. If you specify NOSTOREDATAKEY it does not write it in the header, but writes to SYSPRINT after a successful encryption )
I looked in Getting Started with z/OS Data Set Encryption and could not find an example.
For example the doc has
ENCIPHER
specifies that the source data set is to be enciphered as it is copied to the target data set.
Abbreviation: ENCPHR
EXTERNALKEYNAME(keyname) |INTERNALKEYNAME(keyname) |PRIVATEKEYspecifies whether you, PCF, or ICSF manages keys privately.
EXTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the external file key what does this mean ? The CSF CKDS/PKDS? I think you have to use a short name in the CKDS/PKDS. I didnt think you could store External keys in the CKDS/PKDS
that is used to encipher the data encrypting key. Is this a data key, or a cipher key or another sort of key The key is known only by the deciphering system. So how does the local end use it? Does it mean the public key? This is a key which encrypts the data encrypting key - really? - see my intrpretation above. The key name and its corresponding enciphered data encrypting key are listed in SYSPRINT only if NOSTOREDATAKEY is specified. Not if there is a problem!
Are there any restrictions on what the keys can be ... eg RSA|ECC any strengths private|public|symmetric AES|DES? The doc below talks about private key - so I guess this is a PKI key
Abbreviation: EKN
INTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the internal file key that is used to encipher the data encrypting key. So is this the PKDS/CKDS or an internal dataset The key is retained by the key-creating system. So is this saying it will create a key and save it in the key store, or it will use an existing key in a key store - and does not delete it The key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT if NOSTOREDATAKEY is specified. Do you mean the key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT ONLY if NOSTOREDATAKEY is specified.
Abbreviation: IKN
PRIVATEKEY specifies that the key is to be managed by you. I dont understand this... how do I manage it - please give more information. Does this mean a private key stored in the PKCS/CKDS? Does it mean you use
regards
Colin
------------------------------
Colin Paice
------------------------------