>>-+-----------------------------------------------------------------------------------+-><
   |                                  .---ICOUNT(16)---.  .---ENCRYPT( CLRAES128 )---. |   
   '-+-KEYPASSWORD-+--(--password--)--+----------------+--+--------------------------+-'   
     '-KPWD--------'                  '---ICOUNT(n)----'  '---ENCRYPT( CLRTDES )-----'     

KEYPASSWORD

Specifies the 8 to 32 character password (in EBCDIC) that is used to generate a clear TDES triple-length key or a clear 128-bit AES key.

Valid characters are upper and lower-case letters A through Z, numerals 0-9, and the following characters: !@#$%¢&*-_=:<>?|{}. You cannot use imbedded spaces, commas (,), forwardslash (/), parentheses (()), or semi-colons. DFSMSdss removes leading and trailing blanks.

ICOUNT

The ICOUNT optional parameter specifies how many times DFSMSdss performs the SHA-1 hash algorithm in the generation of the data key and initial chaining vector for encryption. n is an integer between 1 and 10000.

If you do not specify ICOUNT, the default number of iterations is 16.

ENCRYPT

The ENCRYPT keyword allows you to specify the type of encryption to use. The data key used is generated from the password you specified on the KEYPASSWORD keyword. If the same password is specified on separate DUMP commands, the same data key will be generated for a particular encryption type. The types of encryption are:

CLRAES128

Specifies that the dumped data is encrypted with a clear 128-bit AES key. It will be done using CPACF on a z9® or z10 processor. On any other processor (z900, z800, z990, or z890), the AES cryptography is done by the ICSF software.

CLRTDES

Specifies that the dumped data is encrypted with a secure triple-length DES key. It will use CPACF on a z890, z990, z9, and z10 processor. On a z900 and z800, you will need to start ICSF in order to perform the DES cryptography.

If you do not specify ENCRYPT, the default type of encryption is CLRAES128.

Note:

1. When you specify KEYPASSWORD, the only types of encryption that are allowed are CLRTDES and CLRAES128. Secure Triple DES (ENCTDES) is not allowed.
2. When using the KEYPASSWORD keyword, you must take care to ensure that the password is not lost or forgotten. If you lose or forget the password, DFSMSdss cannot decrypt the encrypted data on the dump data set. No password recovery mechanism exists. Neither the password or the generated data key is stored on the output medium.
3. Use of the HWCOMPRESS keyword is recommended when using the ENCRYPT keyword.
4. The KEYPASSWORD keyword is mutually exclusive with the RSA keyword.
5. The KEYPASSWORD password that is specified in your input command stream is not printed in the SYSPRINT output.
6. The ICSF address space must be started up successfully regardless of the processor you are running DFSSMSdss on and the ENCRYPT sub-parameter you use.