Data Enciphering and Deciphering

In the following three types of offline environments, the enciphering of sensitive data adds to data security:

Data sets are transported to another installation, where data security is required during transportation and while the data is stored at the other location.
Data sets are stored for long periods of time at a permanent storage location
Data sets are stored offline at the site at which they are normally used.

You can use the REPRO command to copy a plaintext (not enciphered) data set to another data set in enciphered form. Enciphering converts data to an unintelligible form called a ciphertext. You can then store the enciphered data set offline or send it to a remote location. When desired, you can bring back the enciphered data set online and use the REPRO command to recover the plaintext from the ciphertext by copying the enciphered data set to another data set in plaintext (deciphered) form.

Enciphering and deciphering are based on an 8-byte binary value called the key. Using the REPRO DECIPHER option, you can either decipher the data on the system that it was enciphered on, or decipher the data on another system that has the required key to decipher the data.

The input data set for the decipher operation must be an enciphered copy of a data set produced by REPRO. The output data set for the encipher operation can only be a VSAM entry-sequenced, linear, or sequential data set. The target (output) data set of both an encipher and a decipher operation must be empty. If the target data set is a VSAM data set that has been defined with the reusable attribute, use the REUSE parameter of REPRO to reset it to empty.

For both REPRO ENCIPHER and REPRO DECIPHER, if the input data set (INDATASET) is system managed, the output data set (OUTDATASET) can be either system managed or not system managed, and must be cataloged.

The REPRO ENCIPHER parameter indicates that REPRO is to produce an enciphered copy of the data set. The INFILE or INDATASET parameter identifies and allocates the plaintext (not enciphered) source data set.

The REPRO DECIPHER parameter indicates that REPRO is to produce a deciphered copy of the data set. The OUTFILE or OUTDATASET parameter identifies and allocates a target data set to contain the plaintext data.

Figure 1 is a graphic representation of the input and output data sets involved in REPRO ENCIPHER and DECIPHER operations.

Figure 1. REPRO Encipher and Decipher Operations

When you encipher a data set, specify any of the delimiter parameters available with the REPRO command (SKIP, COUNT, FROMADDRESS, FROMKEY, FROMNUMBER, TOADDRESS, TOKEY, TONUMBER) that are appropriate to the data set being enciphered. However, you cannot specify delimiter parameters when deciphering a data set. If DECIPHER is specified together with any REPRO delimiter parameter, your REPRO command terminates with a message.

When the REPRO command copies and enciphers a data set, it precedes the enciphered data records with one or more records of clear header data. The header data preceding the enciphered data contains information necessary for the deciphering of the enciphered data, such as:

Number of header records
Number of records to be ciphered as a unit
Key verification data
Enciphered data encrypting keys

Tip: If the output data set for the encipher operation is a compressed format data set, little or no space is saved. Save space for the output if the input data set is in compressed format and is compressed.