Using CA Tape Encryption in Your z/OS Environment › How B2B Tape Encryption Works Using Digital Certificates

How B2B Tape Encryption Works Using Digital Certificates

• B2B tapes that use digital certificates for sharing with business partners outside of your organization are encrypted in a different manner from tapes encrypted for in-house use. These B2B tapes use the public key portion of a public key/private key pair and a randomly-generated symmetric key. The encryption of B2B tapes provides a secure method for transmitting both the key for decrypting the data and the data itself. The following list outlines this process:
• To send a B2B tape to a business partner, you must first obtain their agreement to use CA Tape Encryption and obtain a digital certificate from them. The digital certificate contains their public key. The receiving site must have a version of CA Tape Encryption installed-the licensed version or the free decrypt-only version.
• A symmetric key is used to encrypt the data on the tape.
  • The specific symmetric key algorithm to use is specified in the DFSMS dataclass description field.
  • A symmetric key is generated for use on this one tape.
  • The public key is used to encrypt the symmetric key so that it can be included on the tape in a secure manner.
• The encrypted symmetric key is stored in the user header labels so that it can be transmitted securely to the recipient of the tape.
• The tape is then sent outside of your organization to the recipient, the business partner.
• At the recipient site, the CA Encryption Subsystem, BES, obtains the private key from the security system.
• The private key is used to decrypt the symmetric data encryption key.
• The symmetric data encryption key is used to decrypt the actual tape data.