Using CA Tape Encryption in Your z/OS Environment › Tape Management System Interface › How Keys Are Managed

How Keys Are Managed

CA Tape Encryption manages keys so that they are always securely protected. Keys are never stored in clear text, and all encryption and decryption occurs automatically without any user intervention required. Users do not need to enter a particular key at any time. The following outlines how keys are managed:

• CA Tape Encryption assigns a unique BES Key Index to each tape data set when the data set is initially created in encrypted format.
• This BES Key Index is saved in the CA Tape Encryption database and in the tape management system catalog.
  • CA 1 stores the BES Key Index in the Tape Management Catalog (TMC).
  • CA TLMS stores the BES Key Index in the Volume Master File (VMF).
  • DFSMSrmm stores the BES Key Index in the Control Data Set (CDS).
  • The BES Key Index can be displayed on CA Earl reports and through the CA 1 and CA TLMS online interfaces, including CA Vantage GMI.
• Each tape management system provides an extract file to CA Tape Encryption that identifies the BES Key Indexes that are active.
• CA Tape Encryption processes these extract files in the TBEKMUTL key management utility to flag key instances that are no longer needed.
  • A flagged key instance is a specific generation of the key.
  • When the key instance is no longer used for any encrypted tape files, it is flagged for deletion from the key repository.
• CA Tape Encryption protects keys for a period of time after they are no longer needed. A key is not deleted until 90 days after the time that it has been identified as no longer in use.

  Note: You may elect not to perform any automated key deletion by not running the TBEKMUTL utility, or by specifying AutomaticallyRemoveKeys=N in parmlib.

  Note: For more information about key management, see the chapters “Defining Keys in Parmlib” and “Using Digital Certificates.”