>>-+------------------------------------------------+----------><
   |             .---ENCRYPT ( CLRAES128 )--------. |   
   '-RSA(label)--+--------------------------------+-'   
                 '---ENCRYPT----(--+-CLRTDES-+--)-'     
                                   '-ENCTDES-'          

RSA

The RSA keyword allows you to specify the label of an existing RSA public key that is present in the ICSF PKDS. The RSA public key is used to encrypt a randomly generated data key, so that the encrypted data key can be stored on the output medium.

ICSF only allows labels for RSA keys to be up to 64 characters long. The first character must be alphabetic or a national character (#, $, @). The remaining characters may be alphabetic, numeric, national, or a period.

Note:

1. You can also specify the label of an RSA public/private key pair. ICSF uses the public key when encrypting the data key.
2. The RSA keyword cannot be specified with the KEYPASSWORD keyword.
3. When using ENCTDES, or running on z800/z900 hardware, ensure that the RSA key is an internal key. Under these scenarios, an external RSA key will not be accepted by ICSF during the restore of the data.

ENCRYPT

The ENCRYPT keyword allows you to specify the type of encryption key and the type of encryption that DFSMSdss performs on the dumped data. You can specify one of the following options. If you do not specify the ENCRYPT keyword, CLRAES128 is the default. If you specify ENCRYPT with the RSA keyword, the data key is randomly generated for each DUMP command.

• CLRTDES - This option specifies that the dumped data is encrypted with a clear triple-length DES key.
• CLRAES128 - This option specifies that the dumped data is encrypted with a clear 128-bit AES key
• ENCTDES - This option specifies that the dumped data is encrypted with a secure triple-length DES key.