Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

File encryption

&pagelevel(4)&pagelevel

File encryption with a crypto password enables the content of a file to be protected against unauthroized access – also against people with the TSOS privilege and also against physical access to disks and backup tapes.

An encrypted file is created by converting a normal file using the ENCRYPT-FILE command. In the process the crypto password is defined and the encryption method set in the system parameter FILECRYP is transferred to the file’s catalog entry.

The DECRYPT-FILE command reconverts encrypted files to unencrypted format. This can only be done after the correct crypto password has been specified.

Crypto password

A crypto password is up to 8 characters long and is not case-sensitive.

To specify the access authorization for an encrypted file, the associated crypto password is entered in the local task crypto password table using the ADD-CRYPTO-PASSWORD command.

A crypto password is explicitly removed from the password table using the REMOVE-CRYPTO-PASSWORD command (otherwise implicitly when the session is terminated).

Decryption is impossible if the correct crypto password is not specified. To guard against the crypto password being lost, the following measures are recommended:

  • Keeping the specified crypto passwords in a safe place

  • Keeping the number of the used crypto passwords small. These include:

    • Always protect associated encryption files with the same crypto password (users: ENCRYPT-FILE with a reference file entry).

    • In addition to specific encrypted sample files, only allow encrypted files with the same crypto passwords as these sample files (system parameter FREFCRYP, see "Options for management via system parameters").

Working with encrypted files

In the event of homogeneous transfer of an encrypted file, the encrypted content is transferred one-to-one to a target file which has the same encryption attributes as the source file.

This homogeneous transfer is used for:

  • homogeneous COPY-FILE

  • saving and restoring (SAVE/RESTORE) with HSMS/ARCHIVE

  • migrating and recalling (MIGRATION/RECALL) with HSMS

  • exporting and importing with HSMS/ARCHIVE

  • moving files within an SM pubset to another volume set

  • homogeneous file transfer

Thus in the event of homogeneous transfer no decryption takes place, and no key and no crypto password are required. For transfer actions this means that in particular systems support can work in the same way with encrypted files as with unencrypted files.

The SECURITY section in the ENCRYPTION field of the SHOW-FILE-ATTRIBUTES command’s output displays whether or with which encryption method (AES or DES) a file is encrypted. A file selection is offered in accordance with the values of the ENCRYPTION operand.

In the event of remote access via RFA , the ADD- and REMOVE-CRYPTO-PASSWORD commands are automatically forwarded to all connected RFA partner processes by the calling task.

DAB supports read caching of encrypted and unencrypted files, but not write caching. Read caching is advantageous for encrypted files in order to shorten the access times which are increased by the encryption method.

Restrictions and special aspects

  • The link to the openCrypt subsystem means that access to encrypted files is possible as of “System Ready”.

  • Job variables, tape files, EAM files, files on private disk and TSOS files on the home pubset are not encrypted.

  • Encrypted files cannot be printed. An encrypted file must first be decrypted beforehand.

  • Encrypted files have no read/execute password. However, they can have a write password and can also be combined with the other access control mechanisms.

  • It is not possible to modify the crypto password with the MODIFY-FILE-ATTRIBUTES command. Modifications to READ- or EXEC-PASSWORD are ignored.

  • When PAMCONV is used or the REPAIR-DISK-FILE command is invoked for an encrypted file, it is necessary to specify the crypto password.


Options for management via system parameters

  1. FILECRYP

    The system parameter FILECRYP determines the encryption method for conversion into an encrypted file using the ENCRYPT-FILE command. The encryption methods supported are AES (default) and DES.

    • With ENCRYPT-FILE the current value of the system parameter FILECRYP is taken over into the file’s encryption attributes.

    • When a file that has already been encrypted is accessed, the encryption method is not taken over from the system parameter FILECRYP, but from the file’s catalog entry.

    • A change to the system parameter FILECRYP only becomes effective for a file that was already encrypted at the time of the change when the file is decrypted and then encrypted again.

    In the case of shared pubset mode with encrypted files, the selection of the particular encryption methods should be uniform in the system parameter FILECRYP of the systems involved.

  2. FREFCRYP

    The system parameter FREFCRYP is available for controlled assignment and limiting the number of the crypto passwords used . If not empty, it contains a selected user ID. It is then only possible for files from this user ID to be converted into encrypted files (ENCRYPT-FILE command) with free definition of a crypto password. To convert files from other user IDs, a reference file which is already encrypted must be specified. The set of crypto passwords used is thus limited to that of the encrypted files from the selected user ID.

  3. PWACTIVE

    The system parameter PWACTIVE is used to define the maximum number of crypto passwords which a crypto password table may contain. If the threshold value is reached, message DMS0691 is issued and no further crypto password can be entered for the current task before at least one of the crypto passwords in the crypto password table has been removed.

  4. PWENTERD

    The system parameter PWENTERD is used to define how many crypto passwords may be entered per task. If the threshold value is reached, message DMS0692 is issued and no further crypto password can be entered for the current task.

  5. PWERRORS

    The system parameter PWERRORS is used to define the maximum number of invalid crypto access attempts are tolerated under a task. If the threshold value is reached, a SAT entry may be written, the message DMS0693 issued on the console and the task terminated abnormally.

  6. PWPENTI

    The system parameter PWPENTI is used to define the time penalty for the invalid crypto access attempts tolerated.

    All the threshold values mentioned above apply both for the entry of crypto passwords and for the entry of file passwords (READ, WRITE, EXEC). In contrast to the file passwords, for whose entry privileged systems support possesses the special right to exceed the defined threshold values, no special rights are granted for the entry of crypto passwords.

    Crypto password tables and crypto password counters are maintained separately from the file password tables and file password counters. If, for example, the maximum possible number of READ, WRITE and EXEC password entries under a task has been reached, further crypto passwords can be entered, and, by the same token, the same applies in this situation for file passwords.

    The ENCRYPT parameter only applies for the encryption of file passwords, not for the encryption of crypto passwords. The latter are always stored in the crypto password table with one-off encryption.

For further information on using encrypted files, please refer to the “Introductory Guide to DMS” [19].

Powered by Atlassian Confluence and Scroll Viewport.