Db2 11 for z/OS support for z/OS data set encryption

By Jim Pickel, Gayathiri Chandran, and Judy Tobias

Customers have been telling us that they lack adequate safeguards to protect data in Db2 for z/OS from viewing by unauthorized internal personnel. In Db2 11 for z/OS, we address that problem by introducing enhancements that provide a simple, transparent, and consumable approach to enabling pervasive encryption of data at rest. This same function is also available as a base release enhancement to Db2 12 for z/OS.

You can enable this solution without application outages. Using this solution can significantly reduce the people and hardware costs associated with protecting data and achieving compliance mandates.

The Db2 11 implementation requires no changes to your Db2 subsystems. To implement the new encryption features, your security or storage administrator enables z/OS DFSMS data set encryption on your Db2 11 data sets. z/OS DFSMS data set encryption is a new hardware and software solution that is introduced in z/OS V2R3, and is also available through z/OS V2R2 APARs.

DFSMS data set encryption uses a key label to encrypt and decrypt the data. The key label is a string from 1 to 64 bytes that identifies a protected data key in the ICSF key repository.


You can protect all your Db2 system-managed and user-managed objects with DFSMS data set encryption:

  • Active logs, and archive logs on DASD
  • Catalog and directory, and indexes on the catalog
  • User table spaces and indexes
  • Most utility data sets, including temporary work files, data files for loading and unloading, and image copy data sets


After the data sets are encrypted, you can perform SQL and run utilities with confidence that your data is protected.


Related information

DFSMS data set encryption enhancements for z/OS V2R3

Encrypting your data with z/OS DFSMS data set encryption (Db2 11)

Encrypting your data with z/OS DFSMS data set encryption (Db2 12 base release)

Views: 775

Add a Comment

You need to be a member of The World of DB2 to add comments!

Join The World of DB2

Comment by Jim Pickel on November 16, 2017 at 20:15

Both approaches provide protection but at different layers of the stack.

  • Disk Encryption protects the data when the disk is removed from the host.  Once the disk is removed the data is unreadable
  • Data Set encryption protects the data from administrators who have access to the data sets but since the data is encrypted, they are not able to read the data records.  
Comment by William Shipley on November 16, 2017 at 19:29

All of our data at rest is encrypted by the dasd hardware.  This method of encryption sounds useful if you don't want everything encrypted. Would the performance hit be similar to hardware encryption?

Bringing Db2 enthusiasts together virtually. Expert or novice, distributed or mainframe, this is the place for everything DB2.


Creating a function in DB2

Started by Jacob Ruchotzke in What's hot ? Jun 18. 0 Replies

With the help of our IT guy i have sort of gotten an example of how to create a function in our system. Can anyone help me with this? Please see the attached SQL file.Thanks in advanceContinue

Tags: function

Conversion of BLOB to String/ Text

Started by Jitesh Audichya in Application Development and DB2. Last reply by Jitesh Audichya Apr 24. 2 Replies

Hi All,Problem Statement:I have a field with BLOB data type in DB2 database, I want to extract this blob and convert it to Text. The text data after the conversion will be in Japanese characters. How can I write a select with the conversion from…Continue

Tags: on, DB2, conversion, text, to

© 2020   Created by Surekha Parekh.   Powered by

Badges  |  Report an Issue  |  Terms of Service