DEK - Data Encryption Key

Enhanced Definition

A Data Encryption Key (DEK) is a symmetric cryptographic key used specifically to encrypt and decrypt the actual user data (payload) on IBM z/OS systems. Unlike Key Encrypting Keys (KEKs), which protect other keys, the DEK's primary role is the direct protection of sensitive information stored in files, databases, or transmitted across networks. A Data Encryption Key (DEK) is a symmetric cryptographic key used to directly encrypt and decrypt application data on IBM z/OS systems. It is the "working key" that performs the actual cryptographic transformation of sensitive information, whether at rest or in transit. DEKs are typically managed and protected by higher-level Key Encryption Keys (KEKs) and the Integrated Cryptographic Service Facility (ICSF).

Key Characteristics

- Symmetric Key: The same DEK is used for both the encryption and decryption processes, requiring secure distribution and management.
- Data-Specific: DEKs are designed to encrypt the raw data itself, such as records in a VSAM file, columns in a DB2 table, or application-specific data fields.
- Often Encrypted by KEKs: For secure storage and transmission, DEKs are typically encrypted by a stronger Key Encrypting Key (KEK) when managed by ICSF (Integrated Cryptographic Service Facility).
- Hardware-Assisted Operations: On z/OS, the actual encryption and decryption operations using DEKs are frequently offloaded to specialized cryptographic hardware, such as Crypto Express adapters, for enhanced performance and security.
- Variable Lifetime: DEKs can have varying lifespans, from short-lived session keys to longer-lived keys associated with specific files, datasets, or database tables.
- Algorithm Agnostic: While the DEK itself is just a key, it's used with symmetric algorithms like AES (Advanced Encryption Standard) with common key lengths (e.g., 128-bit, 256-bit).

Use Cases

- Database Column/Table Encryption: Encrypting sensitive data within DB2 or IMS databases, where specific columns or entire tables are protected using a DEK.
- Dataset Encryption: Protecting sensitive sequential files, VSAM datasets, or GDGs (Generation Data Groups) stored on DASD or tape, often as part of a Data at Rest Encryption (DARE) strategy.
- Application-Level Encryption: COBOL or PL/I applications leveraging ICSF APIs to generate and use DEKs for encrypting specific data fields before storing them or transmitting them over unsecured channels.
- Secure Data Exchange: Encrypting data payloads before transmission to other systems or applications, ensuring confidentiality during transit.
- Tape Encryption: Used in conjunction with tape management systems to encrypt data written to physical or virtual tape volumes.

Related Concepts

DEKs are a fundamental component of the z/OS cryptographic ecosystem, working closely with ICSF, which provides the framework for key management and cryptographic services. They are typically protected by KEKs (Key Encrypting Keys) when stored in key repositories like the CKDS (Cryptographic Key Dataset) or PKDS (Public Key Dataset), ensuring the confidentiality of the DEK itself. The actual cryptographic operations involving DEKs are often performed by Crypto Express hardware adapters, which are managed by ICSF, providing a secure and high-performance environment for data protection.

Best Practices:

Leverage ICSF: Always use ICSF for DEK generation, management, and cryptographic operations to benefit from hardware-assisted security and performance features.
Protect DEKs with KEKs: Never store DEKs in the clear. Ensure they are encrypted by strong KEKs when stored in CKDS, PKDS, or any other key repository.
Regular Key Rotation: Implement a robust key rotation policy for DEKs to limit the amount of data encrypted by a single key, thereby reducing the impact of a potential key compromise.
Strict Access Control: Enforce stringent RACF (Resource Access Control Facility) or equivalent security controls over who can generate, access, or use DEKs and the ICSF services that manage them.
Utilize Hardware Cryptography: Configure applications and ICSF to utilize Crypto Express adapters for all DEK-based encryption and decryption to maximize security, performance, and compliance.