Adabas Encryption is based on z/OS Dataset Encryption, which provides for the encryption of datasets on DASD. z/OS Dataset Encryption was originally introduced (in 2017) for VSAM extended format datasets and extended format sequential datasets and later (in 2020) extended to basic format and large format sequential datasets, as well as datasets that are read and written directly using Execute Channel Program (EXCP, a low-level I/O interface).
z/OS Dataset Encryption encrypts datasets on DASD configured as 3390-type devices. Encrypted datasets must be managed by DFSMS.
A Dataset is either fully encrypted or fully unencrypted. The same encryption attributes, that is, the encryption key, encryption algorithm and associated parameters, apply to the entire dataset. For the encryption, DFSMS uses AES with 256-bit keys in XTS mode.
An existing dataset cannot be changed from “unencrypted” to “encrypted,” or vice versa. Rather, a new dataset must be created with the desired encryption attributes, and the data must be migrated from the existing dataset to the new one. The same applies if a dataset encrypted with one key must be encrypted with another key or must not be encrypted anymore.
Encryption keys and their associated encryption algorithms and parameters are defined in the Integrated Cryptographic Service Facility (ICSF). Encryption keys are associated with and identified by key labels, so that they can be referred to outside ICSF. A key label is a name for an encryption key and its associated parameters.
When a new dataset is created, the specification of a key label decides whether and how the dataset will be encrypted. There are three ways to specify a key label. In the order of precedence, these are:
In the RACF profile for the dataset: The key label can be specified in the DFP segment of the profile. It applies to all new datasets with names that match the profile.
In the JCL: The key label can be specified in the DSKEYLBL parameter. This takes effect if no key label is derived from the RACF profile for the dataset. Similar parameters exist for equivalent ways to create a dataset via IDCAMS DEFINE, dynamic allocation or ISPF.
In the SMS policy: The key label can be specified in the data class applicable to the dataset. This takes effect if no key label is derived from the RACF profile or specified in the JCL.
Caution:
Establishing dataset encryption in a production environment is a
complex undertaking. Mistakes can lead to the loss of data or to an inadvertent
failure to protect data!
For a fuller introduction, see the IBM Redbook “Getting Started with z/OS Data Set Encryption” from June 2018. While this book predates the encryption of basic format and large format sequential datasets, and of datasets accessed directly using EXCP, their concepts are very similar.
For definitive specifications, see the IBM manual “DFSMS Using Data Sets,” Chapter 5, “Protecting data sets,” Section “Data set encryption.”
z/OS Dataset Encryption is a prerequisite for using Adabas Encryption. Once it has been set up and configured for any kinds of datasets on DASD, you are ready to start using Adabas Encryption for encrypting your Adabas databases.