Using CA Tape Encryption in Your z/OS Environment › Secure Key Processing

Secure Key Processing

Secure key processing lets you store and manage your cryptographic keys so that they never appear in clear form. To ensure that cryptographic keys never appear in clear form, keys must be stored in and must remain in the ICSF key database (the CKDS). The SecureKeysOnly option lets you generate new keys using the secure key services of ICSF. This option can be used in two ways:

• In the StartupOptions section of parmlib to secure keys globally.
• In symmetric key definitions in the symmetric key attribute section in parmlib to secure keys individually.

With this option in effect, new keys are always stored in the CKDS, even if you specified using the BES database for your key repository. However, if there are keys in the BES database when this option is turned on and you want to secure those keys from that point forward, you need to migrate the keys from the BES database to the CKDS. By using the MIGRATE=TOCKDS,MOVE command you can ensure that the keys are removed from the BES database.

Note: For more information about the migrate commands, see the Configuration Guide.