AESENC—Select the AES Encryption Key

Valid on z/OS.
ctsfz
Valid on z/OS.
Use the AESENC control option to determine which AES encryption algorithm (128-bit or 256-bit) to use for encrypting user passwords and password phrases.
  • The AES algorithm is more secure than DES but, by design, is more computationally intensive. Carefully review the planning considerations before enabling this control option.
  • Published PTF SO05264 added an internal password/passphrase cache that might alleviate performance issues when using 256-bit AES encryption with passwords. Enabling the AESCACHE control option activates AES caching for system entry validation (logon), password verification, and password/passphrase changes.
If you activate AESENC(256), passwords that have already been encrypted through AESENC(128) continue to be evaluated through 128-bit AES encryption. When a password is changed, the current setting for AESENC is active from that point forward.
This control option uses the parameter file entry method. The control option has the following format:
AESENC(NONE|128|256)
  • NONE
     
     
    Indicates that the security file is not formatted for use with AES encryption.
  • 128
     
     
    Uses the 128-bit AES key size algorithm.
  • 256
     
     
    Uses the 256-bit AES key size algorithm.