Allan Staller wrote: >(z13?) or z14 processor. Pervasive encryption handled by hardware
Matthew Donald wrote: >No, only in the sense that dfsms requires a CEX?S card to be installed. >Pervasive encryption is supported on z114/196 with a CEX3S or later. The >encryption is performed by sms, which uses the CPACF instructions to >perform the actual cipher/decipher operations. There are a few issues to untangle here. First of all, we're discussing z/OS Data Set Encryption. z/OS Data Set Encryption does not require Crypto Express. You can still use z/OS Data Encryption in clear key mode without Crypto Express, and that would be better (more secure, ceteris paribus) than not using z/OS Data Encryption at all. IBM recommends you use Crypto Express in conjunction with z/OS Data Set Encryption to provide key protection, but you shouldn't wait to make forward progress. As an aside, if you have an IBM z13 or z13s machine but don't have Crypto Express features and want them (and a TKE workstation probably), you should place an order well before the end of June, 2019, since the End of Marketing date is fast approaching. Your other choice is a model upgrade (MES) to z14, also available from z12 machines. z/OS Data Set Encryption requires an IBM z196/z114 or subsequent model machine. On every IBM Z machine that supports z/OS Data Set Encryption, there is at least some hardware exploitation (CPACF). To my knowledge z/OS Data Set Encryption also functions on ZPDT and IBM Z Development and Test Environment (ZDTE), although obviously Crypto Express features are not available in those environments and the performance will be markedly different. That's no great surprise, I hope. (Has anybody tried this yet?) Pervasive Encryption (uppercase) refers to the "encrypt everything" (even multiple times, in multiple encryption layers) operational approach that performs extremely well on IBM z14 and second generation LinuxONE machines (Emperor II, Rockhopper II), using z/OS Data Set Encryption and/or all other available encryption techniques, as applicable. It performs so well that you shouldn't have to adjust your service level commitments on these latest machines. You *can* pervasively encrypt (lowercase) on earlier models, but there is some processing overhead. The older the model, the more overhead there's likely to be. Consequently "Pervasive Encryption" (uppercase) applies only to the current machines, in IBM's view anyway. IBM is drawing this distinction based on the service level neutrality I just mentioned, but you shouldn't view IBM's distinction as an inhibitor. You'll just want to be a little careful about measuring impacts but still at least selectively encrypt. Remember, forward progress is better than no progress. Do what you can as soon as you can to improve your security posture. Anyway, here we're discussing z/OS Data Set Encryption which, if running on an IBM z14 machine with z/OS, is a super important part of Pervasive Encryption. Does all that make sense, or should I elaborate on any particular points? As a reminder (even if I don't mention it always), my words are my own, not IBM's. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
