How In-House Tape Processing Works

Using CA Tape Encryption in Your z/OS Environment › How In-House Tape Processing Works

How In-House Tape Processing Works

In-house tapes are used internally by an organization. This category includes tapes sent offsite for disaster recovery purposes. Data is encrypted using symmetric key cryptography.

In-house tapes have the following characteristics:

A meaningful key name is stored in the BES database. This key name is associated with a specific encryption algorithm supported by CA Tape Encryption.
An existing key is retrieved from ICSF or from the BES database, depending on your configuration.
Symmetric keys can be used multiple times for in-house tapes, based on policy determined by the security administrator.
The symmetric key remains protected in the ICSF database or BES database at all times.
User header labels are written to the tape to identify the key name, the ICSF key label, and the type of encryption algorithm used. The encryption key itself is not stored in the tape labels.
The data is encrypted using the key and then written to tape.
To read the data, the symmetric key used to encrypt the data must be available for decrypting the tape.
- The database where the key was stored must be available to provide the symmetric key when needed.
- If using CKDS as the key repository, both the CKDS and the BES database must be available. If using the BES database as the key repository, then only that database must be available.
When a file is first written to tape in encrypted format, CA Tape Encryption writes a unique BES identifier in the HDR1 label. This identifier is checked during OPEN for read processing and when found invokes CA Tape Encryption to automatically decrypt the data as the tape is being read.

Note: For more information about defining keys in parmlib for encrypting in-house tapes, see the chapter “Defining Keys in Parmlib.”

Tell Technical Publications how we can improve this information