Managing Operations › How the CA Tape Encryption System Works
How the CA Tape Encryption System Works
The CA Encryption Subsystem (BES) plays the major roles in CA Tape Encryption. This diagram provides an overview of how the CA Tape Encryption system works:
The following list outlines how the CA Tape Encryption system works:
- During OPEN, the tape exits (TEP) determine whether or not encryption is to be applied.
- Based on the DFSMS DATACLAS construct assigned to the tape data set, or the security protection profiles in the security system, an encryption key and algorithm are selected.
- All subsequent I/O to this file is processed by the encryption I/O engine, applying the selected encryption algorithm and key.
- The key index associated with the encryption key instance is passed over to the tape management system for tracking.
Note: Specific maintenance is required for CA 1, CA TLMS, and DFSMSrmm to support full key management and tracking. You should call your tape management system vendor to obtain any maintenance they may have available for CA Tape Encryption full key management.
- Application programs are unaware that the data is being encrypted or decrypted. The encryption keys are maintained in the BES primary and mirror databases and may optionally be maintained in ICSF's CKDS. ICSF services are employed using industry-standard encryption algorithms of varying strengths.
- For B2B tapes, BES encrypts the tape data with a unique randomly generated symmetric key. BES also extracts the public key from the business partner's digital certificate and uses it to encrypt the symmetric key. The encrypted symmetric key is then embedded with the data and can be decrypted only by the corresponding private key owned by the business partner.
