Add IFS Encryption Entry (ADDIFSENC)

The ADDIFSENC command allows authorized users to add a new entry into the IFS Encryption Registry.

The following users can use the ADDIFSENC command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain IFS Enc. Registry” authority setting

NOTE: The ADDIFSENC command only adds the IFS entry settings into the registry. It will not cause any action to be performed on the actual files in the directory(s). The IFS will not be activated for encryption until the ACTIFSENC (Activate IFS Encryption) command is executed.

This command requires that you have *CHANGE authority to the CRVL003 Validation List (*VLDL) object, which contains the IFS Encryption Registry.

How to Get There

From the IFS Encryption Menu, choose option 2. Or, prompt (F4) the command CRYPTO/ADDIFSENC.

Options

IFS identifier (IFSID)

Indicate the unique name of the entry up to 30 characters.

Rules for IFS identifier:

The IFS identifier does not have to be the same name as the directory or files to encrypt. It is simply used as a way to identify this entry within IFS registry.
The IFS identifier cannot contain spaces or certain special characters.
The IFS identifier can contain underscore characters.
The IFS identifier is not case sensitive. It will be stored in upper case.

IFS directory to encrypt (SRCDIR)

Specify the path of the IFS directory containing the files to be encrypted.

The maximum size of the directory name is 256 bytes. The maximum size of any filename is 256 bytes.

For instance: '/HR/PayrollData'

Include subdirectories (INCSUBDIR)

Indicate if the files within the directory's subdirectories are to be encrypted.

The possible values are:

*YES Files within the subdirectories will also be encrypted.

*NO Files within the subdirectories will NOT be encrypted.

Encrypted files storage folder (TGTDIR)

Specify the path of the IFS directory to store the encrypted versions of the files.

If this directory does not exist, then it will be created.

If this is an existing directory, then it cannot contain existing files.

The maximum size of the directory name is 256 bytes.

The possible values are:

*DEFAULT The encrypted versions of the files will be stored under the '/CryptoDisk' directory using the same directory name as specified for the SRCDIR parameter. For instance: '/CryptoDisk/HR/PayrollData'

ifs-directory-name Specify the full path to the IFS directory name to store the encrypted versions of the IFS files. For instance: '/Encrypted/HR/PayrollData'

Encryption key label (ENCKEYLBL)

Indicate the label of the symmetric key to use for encrypting the IFS files within the directory.

Encryption key store name (ENCKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for encrypting the IFS files.

The users which are writing or changing the IFS files will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Specify the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

Decryption key label (DECKEYLBL)

Indicate the label of the symmetric key to use for decrypting the IFS files.

The possible values are:

decryption-key-label Indicate the label of the key to use for decryption.

WARNING: If specifying a different key label than the label specified for encryption, then that decryption key should contain the same key value as the encryption key.

*ENCKEYLBL Use the same label as specified on the ENCKEYLBL parameter.

Decryption key store name (DECKEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key to use for decryption of the IFS files.

The users which are opening/reading the IFS files will need to have at least *USE authority to this Key Store object.

The possible values are:

key-store-name Enter the name of the Key Store.

*ENCKEYSTR Use the same Key Store as specified on the ENCKEYSTR parameter.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

Authorization list for decryption (AUTLDEC)

Indicate the IBM i Authorization List that should be used to determine which users have authority to decrypt the IFS files.

The possible values are:

authorization-list-name Indicate the name of the Authorization List. An Authorization List can be created with the IBM i command CRTAUTL. The users (or user groups) which need access to the decrypted IFS files will need at least (*USE) authority to the Authorization List.

*NONE An Authorization List should not be used by the IFS decrypt operations. Therefore the user can gain access to the decrypted files as long as they have object authority to the IFS file and at least *USE authority to the Key Store which holds the Decryption Key.

Journal location (JRNLOC)

Indicate the location of the journal and related objects.

The possible values are:

*DEFAULT The location for all related objects will be in the CRYPTO library. Also the name of the journal will be CRJNI001. No further changes will need to be made.

*IASP The location of the objects will need to be entered into the CRCONFIG file located in the CRYPTO library and the objects will need to be copied into the IASP library designated. The following objects will need to be copied into the IASP library:

CRPFIFS PHYSICAL FILE
CRPFIFSL1 LOGICAL FILE
CRPFIFSL2 LOGICAL FILE
CRPFIFSL3 LOGICAL FILE
CRPFIFSL4 LOGICAL FILE
CRPFIFS2 PHYSICAL FILE
CRVL003 VALIDATION LIST
CRJNI001 JOURNAL
CRJRI001 JOURNAL RECEIVER
CRLSTSEQ DATA AREA
CRVERSION DATA AREA