The keys stored in the TKDS are not encrypted. Therefore, it is recommended that you RACF-protect data set access to the TKDS. (This is in addition to the RACF protection of the individual tokens via the CRYPTOZ class.) This will provide additional security for your installation.