Pervasive Encryption with IDMS

This article describes how to use pervasive encryption for database and other files.
This article describes how to use pervasive encryption for database and other files.
Pervasive encryption supports data set encryption for access methods VSAM, QSAM, and BSAM. To encrypt IDMS databases, VSAM must be used as an access method. To change access methods from EXCP to VSAM, see Changing the Access Method of a File.
When defining the VSAM cluster for encryption, the following items must be specified:
  • A data class that specifies Extended Format, but does not specify Extended Addressing.
  • A storage class that supports extended format.
  • A data set key label in the data class definition, the RACF data set profile, or the define cluster command.
  • Appropriate security must be defined for the key label and other IBM constructs. For information about activating data set encryption, see the appropriate IBM documentation.
Converting to VSAM Encrypted files
  1. Define the database files as VSAM in the DMCL
  2. Modify the CV and batch JCL that reference the database files to reference the VSAM files.
  3. Copy pages from the old file to the new, or format the file and load it.
    Data blocks are encrypted when writing to the file and decrypted when reading the file.
Backup and Restore Functions
The IBM utility, ADRDSSU, should be considered for backup and restore functions. Its DUMP, COPY, and RESTORE functions bypass decryption and process encrypted data. Files that are read by the IDMS backup utility are decrypted when read. The files are not encrypted when written, unless the backup files are also defined as encrypted.
Encrypting a Database File
When encrypting a database file, the following data base files should also be considered:
  • Disk journal files
  • DC Queue area
  • Scratch area if not in memory
  • Dictionaries
  • Log File
The following sequential files that are used by utility and report programs should also be considered, if they may contain confidential information.  Sequential files using QSAM can be encrypted using the JCL DSKEYLBL parameter.  See IBM documentation for more requirements.
  • Archive journal files
  • Extract, Merge, and Fix Journal files
  • Backup files
  • REORG, Unload/Reload, Maintain Index work files
  • LOAD/BUILD/VALIDATE work files
  • Convert Page / Expand page output files
  • DB Tools work and output files
  • Culprit work files
  • Batch OLQ work files
  • Sort work files
  • Any output file which might contain confidential data