>>-+-----------------------------------------------------------------------------------+-><
| .---ICOUNT(16)---. .---ENCRYPT( CLRAES128 )---. |
'-+-KEYPASSWORD-+--(--password--)--+----------------+--+--------------------------+-'
'-KPWD--------' '---ICOUNT(n)----' '---ENCRYPT( CLRTDES )-----'
- KEYPASSWORD
Specifies the 8 to 32 character password (in EBCDIC) that
is used to generate a clear TDES triple-length key or a clear 128-bit
AES key.
Valid characters are upper and lower-case letters
A through Z, numerals 0-9, and the following characters: !@#$%¢&*-_=:<>?|{}.
You cannot use imbedded spaces, commas (,), forwardslash (/), parentheses
(()), or semi-colons. DFSMSdss removes leading and trailing blanks.
- ICOUNT
The ICOUNT optional parameter specifies how many times DFSMSdss
performs the SHA-1 hash algorithm in the generation of the data key
and initial chaining vector for encryption. n is an integer between
1 and 10000.
If you do not specify ICOUNT, the default number
of iterations is 16.
- ENCRYPT
The ENCRYPT keyword allows you to specify the type of encryption
to use. The data key used is generated from the password you specified
on the KEYPASSWORD keyword. If the same password is specified on separate
DUMP commands, the same data key will be generated for a particular
encryption type. The types of encryption are:
- CLRAES128
- Specifies that the dumped data
is encrypted with a clear 128-bit
AES key. It will be done using CPACF on a z9® or z10 processor. On any other processor (z900,
z800, z990, or z890), the AES cryptography is done by the ICSF software.
- CLRTDES
- Specifies that the dumped data
is encrypted with a secure triple-length
DES key. It will use CPACF on a z890, z990, z9, and z10 processor. On a z900 and z800, you
will need to start ICSF in order to perform the DES cryptography.
If you do not specify ENCRYPT, the default type of encryption
is CLRAES128.
Note: - When you specify KEYPASSWORD, the only types of encryption
that
are allowed are CLRTDES and CLRAES128. Secure Triple DES (ENCTDES)
is not allowed.
- When using the KEYPASSWORD keyword, you must
take care to ensure
that the password is not lost or forgotten. If you lose or forget
the password, DFSMSdss cannot decrypt the encrypted data on the dump
data set. No password recovery mechanism exists. Neither the password
or the generated data key is stored on the output medium.
- Use
of the HWCOMPRESS keyword is recommended when using the ENCRYPT
keyword.
- The KEYPASSWORD keyword is mutually exclusive with
the RSA keyword.
- The KEYPASSWORD password that is specified
in your
input command stream is not printed in the SYSPRINT output.
- The
ICSF address space must be started up successfully
regardless of the processor you are running DFSSMSdss on and the ENCRYPT
sub-parameter you use.
For
more information on the ENCRYPT keyword, see RSA.