Db2 11 for z/OS support for z/OS data set encryption

By Jim Pickel, Gayathiri Chandran, and Judy Tobias

Customers have been telling us that they lack adequate safeguards to protect data in Db2 for z/OS from viewing by unauthorized internal personnel. In Db2 11 for z/OS, we address that problem by introducing enhancements that provide a simple, transparent, and consumable approach to enabling pervasive encryption of data at rest. This same function is also available as a base release enhancement to Db2 12 for z/OS.

You can enable this solution without application outages. Using this solution can significantly reduce the people and hardware costs associated with protecting data and achieving compliance mandates.

The Db2 11 implementation requires no changes to your Db2 subsystems. To implement the new encryption features, your security or storage administrator enables z/OS DFSMS data set encryption on your Db2 11 data sets. z/OS DFSMS data set encryption is a new hardware and software solution that is introduced in z/OS V2R3, and is also available through z/OS V2R2 APARs.

DFSMS data set encryption uses a key label to encrypt and decrypt the data. The key label is a string from 1 to 64 bytes that identifies a protected data key in the ICSF key repository.


You can protect all your Db2 system-managed and user-managed objects with DFSMS data set encryption:

  • Active logs, and archive logs on DASD
  • Catalog and directory, and indexes on the catalog
  • User table spaces and indexes
  • Most utility data sets, including temporary work files, data files for loading and unloading, and image copy data sets


After the data sets are encrypted, you can perform SQL and run utilities with confidence that your data is protected.


Related information

DFSMS data set encryption enhancements for z/OS V2R3

Encrypting your data with z/OS DFSMS data set encryption (Db2 11)

Encrypting your data with z/OS DFSMS data set encryption (Db2 12 base release)

Views: 661

Add a Comment

You need to be a member of The World of DB2 to add comments!

Join The World of DB2

Comment by Jim Pickel on November 16, 2017 at 20:15

Both approaches provide protection but at different layers of the stack.

  • Disk Encryption protects the data when the disk is removed from the host.  Once the disk is removed the data is unreadable
  • Data Set encryption protects the data from administrators who have access to the data sets but since the data is encrypted, they are not able to read the data records.  
Comment by William Shipley on November 16, 2017 at 19:29

All of our data at rest is encrypted by the dasd hardware.  This method of encryption sounds useful if you don't want everything encrypted. Would the performance hit be similar to hardware encryption?

Bringing Db2 enthusiasts together virtually. Expert or novice, distributed or mainframe, this is the place for everything DB2.


Db2 for z/OS Master class with John Campbell and the SWAT team returns!

Started by Surekha Parekh in What's hot ?. Last reply by carol Goldberg on Thursday. 1 Reply

Db2 for z/OS Master class with John Campbell and the SWAT team returns! June 24-28, 2019 at IBM Hursley near Winchester, UKSeptember 23-27, 2019 at IBM Silicon Valley Lab in San Jose, California…Continue

Tags: Events, MasterClass, JohnCampbell

RBS Shares their Db2 Utilities Experiences

Started by Calene Janacek in What's hot ? Oct 22. 0 Replies

Join Mark Turner, Lead Mainframe Architect and Strategist from RBS and Haakon Roberts, IBM DE as they share Royal Bank of…Continue

Tags: #Db2

© 2019   Created by Surekha Parekh.   Powered by

Badges  |  Report an Issue  |  Terms of Service