Deactivating Keys › Deactivated Keys and Scratch Tapes

Deactivated Keys and Scratch Tapes

A deactivated key is no longer used for encryption. New versions of the key are not generated, but the key instance is retained for reading tapes that were encrypted with this key. The following points describe how deactivated keys are managed for scratch tapes:

• CA Tape Encryption is a rule-based system that allows you to define the types of encryption to perform and how often to regenerate keys.
• After you define these rules, new versions of keys are generated automatically.

  Only one version of a key is considered to be the current active key. All other keys are flagged for future use or may be marked as deactivated.

• You may have any number of keys in the deactivated state under each specific CA Tape Encryption key name.
  • These deactivated keys represent keys in the ICSF database or BES database that were used to encrypt tapes in the past under the specific CA Tape Encryption key name.
  • The appropriate key is referenced any time an application mounts and reads one of these tapes.
• To ensure that keys do not remain in the BES database and ICSF database beyond the lifecycle of the tapes, CA Tape Encryption automatically removes these deactivated keys from CA Tape Encryption and ICSF when the tape management system flags the last tape encrypted under these old keys as a scratch tape that has been overwritten (reused) and after the grace period expires.
• The Deactivate attribute in parmlib indicates whether an entire key section is marked as deactivated. Deactivating a key section in parmlib is similar to deactivating individual keys: the key section cannot be used for creating new tapes but may be used to read old tapes.
• If you do not want a key to be used for any new encryption activity, specify the following value for the Deactivate attribute in parmlib to deactivate all versions of the key:

  Deactivate=Y
  

  • This deactivates the current key. It is no longer used for encryption.
  • This makes the use of the key name invalid. No new key instances are generated for this key name.
  • This also removes all future versions of the key that had been generated based on the values of the Regenerate attribute and NumberOfGenerations attribute in parmlib.
  • Now that the currently active instance of the key is deactivated, it is retained in the key repository in case it is needed for decryption purposes, until the tape management system indicates that it can be removed after the grace period expires.
  • The key may be reactivated by removing the Deactivate=Y specification. Doing so will cause CA Tape Encryption to generate a new current key and all of the required future keys. Any time you cause new keys to be generated, you should immediately back up the mirror database and send a copy of the backup to your disaster recovery site.

  Note: You can also deactivate a key by simply removing from parmlib the key name and the key section that defines the attributes of the key.

  Note: For more information about the Deactivate attribute, see the Configuration Guide.