Defining Keys in Parmlib › In-House Keys › How In-House Keys Work

How In-House Keys Work

CA Tape Encryption provides comprehensive management of in-house keys. Because an in-house key is a symmetric key, this secret key must be protected to ensure that data encrypted by the key remains secure.

The following points describe the use of symmetric keys with in-house tapes:

• Symmetric keys are stored in the key repository of the system that created the tape. These keys are themselves encrypted.
• A site's ICSF CKDS is protected by a secure master key.
• Keys stored in the BES database are protected by a single pass phrase or dual pass phrase.

  Note: For more information about the command for specifying this pass phrase, see the Configuration Guide.

• The CKDS database or the BES database are the only places where the symmetric keys are stored.
• When saving keys in the CKDS, the key label is stored in the BES database and is itself referenced by a BES Key Index. In this configuration, all references to an in-house key are made with a key label.
• The symmetric keys are stored in the CKDS database or the BES database. This ensures that the keys remain operational for as long as needed.
  • When keys are generated by ICSF, they are returned to CA Tape Encryption encrypted under the ICSF master key, which makes them operational for use in calls to ICSF. If the ICSF master key changes, these keys must be encrypted again under the new master key. ICSF automatically re-encrypts the keys stored in the CKDS.
  • For keys stored in the BES database, if the master BES pass phrase or dual pass phrases change, CA Tape Encryption automatically re-encrypts the keys.
  • You can continue to read tapes encrypted with keys based on the old master key, pass phrase or dual pass phrases.
• Any attempt to read an encrypted in-house tape requires the same ICSF CKDS or BES database, or both, that were used to encrypt the tape.
• A copy of the ICSF CKDS or BES database is required for off-site or disaster recovery situations.
• You can use in-house keys for multiple tapes. You can use one key to encrypt multiple files and multiple tapes. This does increase the amount of exposed data if a key is compromised. Therefore, you should regenerate multiple-use keys on a regular basis and replace them with new keys.

  Note: When a key is replaced by the regeneration process, it is retained for reading tapes that were encrypted using the key.

• You can generate new in-house keys on a weekly, monthly, or yearly basis.
• In-house keys are generated in advance and stored for future use. This ensures that your disaster recovery system will have all the necessary keys, even if your mirror database backup is somewhat out of date due to transport delays or backup media failures.