Changing the Datacom encryption key
search cancel

Changing the Datacom encryption key

book

Article ID: 385329

calendar_today

Updated On:

Products

Datacom DATACOM - AD Datacom/AD Datacom/DB

Issue/Introduction

Tables are encrypted with Datacom basic data encryption. 
Is it possible to change the Datacom  encryption key or delete the existing key and create a new key?

Environment

Release: 15.1

Resolution

The basic encryption key is set by the DBUTLTY ENCRYPT function:

ENCRYPT OPTION=SET_BASIC_KEY_1,OPTION2=*,OPTION4=* 

By using * in OPTION2 and OPTION4 Datacom will generate a random encryption key value.
The encryption key value can be seen by running DBUTLTY with:

REPORT AREA=CXX,TYPE=K 

The encryption key is stored in the CXX, it is then used to encrypt the tables defined with encryption in the table definition.
The keys you specify are considered "handles" of the actual encryption key to be used. 
If using AES256 a 256 bit encryption key will be generated from the handle key you specify.  

Datacom basic encryption only supports one encryption key in the CXX.

To change the encryption key perform the following:

  1. Run a DBUTLTY BACKUP of all encrypted tables. The BACKUP will have the data in decrypted format. You need to make sure that this function is protected.

  2. Delete and add a new basic encryption key to the CXX by running the DBUTLTY ENCRYPT function.

  3. Run a DBUTLTY LOAD to encrypt all the tables using the new key.

Note that DBUTLTY needs to be APF Authorized when working with encrypted tables.

Article Enabling ENCRYPTION for Datacom Databases explains the process of enabling encryption.

For encryption we recommend converting to VSAM Linear datasets instead of EXCP so you can use IBM Pervasive Encryption

Additional Information