Questions on change of encryption algorithm

Document ID : KB000045225
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

1.  How to change the encryption algorithm for CA Tape Encryption from AES128 to AES256?

2.  After the change is complete, will the tapes with the encryption algorithm AES128 be readable?

3.  Are there any other considerations? 

 

Answer: 

1. You can simply define the new AES256 keys in BESPARMS, and then do a ‘BESn REFRESH=SYMKEYS’ to activate the new keys (no need to restart the BESn task).

2. Any existing tapes which used the old AES128 keys will continue to be decryptable, even if the key definitions for AES128 are deactivated in BESPARMS. When all old tapes using the AES128 key become scratch/expire, then at this point the AES128 key will become eligible (‘marked’) for deletion from the BES DB (and even here, this is not automatic, there is a 30-day window before the keys are marked, and even then you had to run a job such as BESKMNTT, etc. to permanently delete these keys). 

3. To perform if required the migration to AES256 encryption and no longer use AES128, you will have to: 

a. use some form of copy from the old tape to a new one using the new encrypt algorithm (for best performance, a DFSORT COPY would be the best). 

b. Now if you have Copycat and copy the data (which would drive the de-crypt and encryption processes) you should be good too.

Additional Information:

- You can go to our Wiki/Product Documentation for additional information on how to code parmlib members or use BTE utilities.

 As always, please contact CA Technologies support for CA Tape Encryption if you have further questions.