This Db2 for z/OS News from the Lab blog entry was originally published on 2018-04-30.

By Jim Pickel, Gayathiri Chandran, and Emily Alameida.

Starting in both Db2 11 and 12 for z/OS, we recently introduced support for z/OS DFSMS data set encryption, part of the Pervasive Encryption for IBM Z solution, to address the problem of access to data by unauthorized internal personnel. With DFSMS data set encryption, you can encrypt your data without application outages. Using this solution can significantly reduce the people and hardware costs associated with protecting data and achieving compliance mandates.

Db2 12 function level 502 (V12R1M502) introduces new Db2 policy controls for DFSMS data set encryption, which requires a key label to encrypt and decrypt the data. The key label is a string from 1 to 64 bytes that identifies a protected data key in the ICSF key repository. Function level 502 introduces enhancements to the Db2 system to make setting and viewing key label information easier and more integrated with the data sets associated with the catalog, directory objects, user objects, and active and archive logs.

All Db2 12 function levels support DFSMS data set encryption, assuming that APARs PI90288 and PI97037 are applied. However, to use the new policy controls, you must activate function level 502, which also requires that you update the Db2 catalog to catalog level 502. Applications that use any new SQL syntax must also run at the appropriate application compatibility level APPLCOMPAT(V12R1M502)

To implement the new encryption features, your security administrator, storage administrator, or database administrator enables z/OS DFSMS data set encryption on your Db2 12 data sets.

You can plan for data set encryption and estimate the costs of using DFSMS data set encryption by using the free zBNA tool. Also, Db2 statistics trace is enhanced to report CPU time, which you can use while planning which data sets to encrypt to maximize the balance between performance and encryption.

You can protect all your Db2 system-managed and user-managed objects with DFSMS data set encryption, including:

• Active logs, and archive logs on DASD
• Catalog and directory, and indexes on the catalog
• User table spaces and indexes
• Most utility data sets, including temporary work files, data files for loading and unloading, and image copy data sets. However, data sets used for sorting cannot be encrypted.

After the data sets are encrypted, you can run SQL statements and utilities with confidence that your data is protected. Related information

z/OS: Using the z/OS data set encryption enhancements

Gayathiri Chandran and Jim Pickel are Db2 for z/OS developers, and Emily Alameida is a technical writer for Db2 for z/OS.