Db2 11 for z/OS support for z/OS data set encryption

By Jim Pickel, Gayathiri Chandran, and Judy Tobias

Customers have been telling us that they lack adequate safeguards to protect data in Db2 for z/OS from viewing by unauthorized internal personnel. In Db2 11 for z/OS, we address that problem by introducing enhancements that provide a simple, transparent, and consumable approach to enabling pervasive encryption of data at rest. This same function is also available as a base release enhancement to Db2 12 for z/OS.

You can enable this solution without application outages. Using this solution can significantly reduce the people and hardware costs associated with protecting data and achieving compliance mandates.

The Db2 11 implementation requires no changes to your Db2 subsystems. To implement the new encryption features, your security or storage administrator enables z/OS DFSMS data set encryption on your Db2 11 data sets. z/OS DFSMS data set encryption is a new hardware and software solution that is introduced in z/OS V2R3, and is also available through z/OS V2R2 APARs.

DFSMS data set encryption uses a key label to encrypt and decrypt the data. The key label is a string from 1 to 64 bytes that identifies a protected data key in the ICSF key repository.


You can protect all your Db2 system-managed and user-managed objects with DFSMS data set encryption:

  • Active logs, and archive logs on DASD
  • Catalog and directory, and indexes on the catalog
  • User table spaces and indexes
  • Most utility data sets, including temporary work files, data files for loading and unloading, and image copy data sets


After the data sets are encrypted, you can perform SQL and run utilities with confidence that your data is protected.


Related information

DFSMS data set encryption enhancements for z/OS V2R3

Encrypting your data with z/OS DFSMS data set encryption (Db2 11)

Encrypting your data with z/OS DFSMS data set encryption (Db2 12 base release)

E-mail me when people leave their comments –

You need to be a member of WorldofDb2 to add comments!

Join WorldofDb2


  • Both approaches provide protection but at different layers of the stack.

    • Disk Encryption protects the data when the disk is removed from the host.  Once the disk is removed the data is unreadable
    • Data Set encryption protects the data from administrators who have access to the data sets but since the data is encrypted, they are not able to read the data records.  
  • All of our data at rest is encrypted by the dasd hardware.  This method of encryption sounds useful if you don't want everything encrypted. Would the performance hit be similar to hardware encryption?

This reply was deleted.