CA Tape Encryption Installation and Configuration Best Practices › Configuration for Optimal Performance › Key Life Cycle Management

Key Life Cycle Management

Use CA Tape Encryption automated key life cycle management.

Business Value:

The CA Tape Encryption key life cycle management feature reduces business costs by allowing you to control the expiration of your tape files from the tape management system. Keys that are known to no longer be used are available for deletion.

Additional Considerations:

CA Tape Encryption integrates with the CA 1, CA TLMS, and IBM DFSMSrmm tape management systems to control the life-cycle management of keys used to encrypt tape files managed by these products.

CA Tape Encryption assigns a unique identifier for each symmetric key known as the BES Key Index (BESKEY). The BESKEY is saved in:

• The tape management catalog. This allows you to identify what files are encrypted and what key was used to encrypt the data.
• The User Header Labels (UHL) and User Trailer Labels (UTL) on the tape and in the CA Tape Encryption database.

CA Tape Encryption provides a job to read each tape management system's catalog to identify all BESKEYs retained in the catalog to ensure that the keys are retained. To automatically remove keys, set the PARMLIB attribute AutomaticallyRemoveKeys=Y. CA Tape Encryption puts the keys no longer defined to the tape management system catalog on a 90 day deletion queue. If a key is used to decrypt a tape it is automatically removed from the queue.