When you want to decipher the data, you must supply the data encrypting key that enciphered the data. However, as a security precaution, you might want to supply the data encrypting key in a disguised form. When enciphering the data set, supply the name of a key-encrypting key. The REPRO command uses the key-encrypting keys indicated by the supplied name to disguise the data encrypting key. When deciphering the data set, supply the name of the file key and the disguised data encrypting key rather than the plaintext data encrypting key. In this way, the actual plaintext data encrypting key is not revealed.

You can use the Programmed Cryptographic Facility or ICSF to install the secondary key-encrypting keys. If you are using the Programmed Cryptographic Facility, use the Programmed Cryptographic Facility key generator utility to set up the key pairs.

If you are using ICSF, use the Key Generation Utility Program (KGUP) to set up the key pairs on both the encrypting and decrypting systems.

The key generator utility generates the key-encrypting keys you request and stores the keys, in enciphered form, in the cryptographic key data set (CKDS). It lists the external name of each secondary key and the plaintext form of the secondary key. If the secondary encrypting key is to be used on a system other than the system on which the keys were generated, the utility must also be run on the other system to define the same plaintext key-encrypting keys. The plaintext key-encrypting keys can be defined in the CKDS of the other system with different key names. If you want to manage your own private keys, no key-encrypting keys are used to encipher the data encrypting key; it is your responsibility to ensure the secure nature of your private data encrypting key.

Related reading: For more information on setting up keys with KGUP, see z/OS Cryptographic Services ICSF Administrator's Guide.