On 6/19/2017 8:00 AM, Todd Arnold wrote:
- If you need "secure keys" - keys that are protected by hardware that
    cannot be subverted, even by the highest-technology methods - then
    use CEX.  (but if you need a lower level of security, consider CPACF
    Protected Key mode.)

I would note that CPACF protected keys are *very* secure, as they are good only on the system that generates them for the life of that IPL. While not impregnable like secure keys, they usually end up on the plus side of scales when you consider the possibility of breaking the encryption of a CPACF encrypted key vs the significant reduction in elapsed time over the CEX when processing large amounts of data.

ICSF *can* convert a secure key to a CPACF protected key for use by the cipher instructions if the appropriate options and security profiles are established.

Regards,
Greg

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to