PGP Goes 'Green' with New Encryption Solution for iSeries and zSeries

Published: February 21, 2006

by Alex Woodie

Hardcore iSeries and zSeries admins who eschew the trend toward GUI-ization may want to check out the new greenscreen security tool announced by PGP last week. In the next month or so, PGP says it will roll out a version of PGP Command Line that supports IBM's midrange and mainframe servers, that will integrate well with these servers' batch processes and scripting environments, and--perhaps most importantly--will increase the security of backups.

PGP, which stands for Pretty Good Privacy, is an open-source program developed by Phil Zimmermann in 1991 as a way for users to encrypt and decrypt messages and files in the early days of the Internet. It was originally used most often for securing e-mail messages, but, as a result of its widespread adoption as an open-source program, it since has found its way into many aspects of IT besides e-mail.

As one of the first successful encryption programs to be distributed as open-source, PGP and Zimmermann became ensnared in controversy, including allegations by the U.S. Government that giving PGP to foreigners constituted export of munitions without a license, according to the Wikipedia entry on PGP. The various criminal and civil lawsuits ended in 1996, and in 1997, Zimmermann and his colleagues sold their company, PGP Inc., to Network Associates Inc. (NAI).

In 2002, a group of ex-PGP Inc. members and PGP developers re-acquired the rights to the PGP assets from NAI, which has since gone back to using its maiden name, McAfee, and formed a new company called PGP Corp. While this deal gave PGP Corp. the rights to almost all PGP products, NAI retained all rights to the command line version of the product, which McAfee continues to sell and support today as the McAfee E-Business Server. (For what it's worth, McAfee's E-Business Server supports only Windows, Unix, Linux, and OS/390; it doesn't support OS/400).

PGP Corp. was restricted until January 2004 from developing a command line version of PGP, and at that time the company started work on PGP Command Line, which has been available for Windows, Unix, Linux, and Mac operating systems for some time.

With version 9.0 of the product, which the company announced last week at the RSA Security conference in San Jose, the company is introducing a variant that supports OS/400, z/OS, and Linux on iSeries and zSeries servers, which it's calling PGP Command Line for Mainframes. (PGP, like others in the industry, has taken to calling the OS/400 server a "mainframe," which, while technically and historically inaccurate, is a handy way of referring to IBM's proprietary class of scalable, stable, and secure business systems. The meanings and usages of words are dynamic, and IT Jungle, like IBM, is powerless to stop it.)

PGP Command Line for Mainframe

PGP says the iSeries and zSeries version of PGP Command Line will become available during the first quarter, and will deliver a way for users to incorporate PGP's encryption routines directly into production applications, without requiring programming. The software is compatible with various encryption algorithms, including 3DES, AES, and many others, and will generate encrypted documents that can be opened with any PGP or OpenPGP-compatible program running on practically any other operating system.

With the mainframe version of PGP Command Line 9.0, PGP integrated the software with the tried and true operational processes that are in widespread use on these systems. In short, this means PGP Command Line for Mainframes works with the iSeries' Control Language (CL) and the mainframe's Job Control Language (JCL). These scripting environments are highly tailored to their particular environments, and PGP is smart to build an encryption solution that leverages the knowledge that operators and administrators already have for CL and JCL, instead of making them learn how to use a new application. No programming is required to use PGP Command Line; if users want to build PGP into their products, there are plenty of tools available to do that.

Files encrypted with PGP Command Line can be opened on other platforms by way of Self-Decrypting Archives (SDAs), which are compressed and encrypted archives packaged as executables that only require passphrases to be decrypted. PGP Command Line creates SDAs that are compatible with Windows 2000/XP/Server 2003, HP-UX 11i (but only on PA-RISC chips), AIX 5.2, Red Hat Enterprise Linux 3.0 (but X86 only), Solaris 8 (but only on SPARC chips), and Mac OS X 10.3. The company offers its PGP Universal Encryption Platform to organizations looking for a way to encrypt e-mail generated on workstations and PCs. Because PGP is an accepted standard, documents encrypted with PGP Command Line can be decrypted and opened with any OpenPGP-compatible product, including those from PGP Corp, McAfee, Gnu/FSF (ie, GPG), Hushmail, Veridis, Articsoft, and Forum, according to the Wiki.

Fighting Data Loss

Protecting backups is expected to be one of the most common jobs PGP Command Line is called upon to do. With the array of new laws for fighting identity theft, not to mention existing laws mandating good security business practices such as HIPAA and SOX, IT organizations should begin to realize that customers are not putting up with the sloppy handling of their personal data.

And IT organizations have been very sloppy with this volatile data. In the last 12 months, more than 52 million individuals in the U.S. have had their personal information compromised by lapses in security such as network breaches or lost backup tapes, according to the Privacy Rights Clearinghouse, a non-profit San Diego-based group dedicated to raising awareness about how technology can compromise people's identities.

"Enterprises entrust their most critical and sensitive applications to mainframe platforms," said Steven Schoenfeld, PGP's vice president of products and strategy. "With PGP Command Line for mainframes, businesses now have the flexibility to address security needs with PGP encryption throughout their organization--no matter where the data originates or where it is stored."

More Features and Shipping Timeline

PGP is building another cool feature into PGP Command Line, something it calls Additional Decryption Key (ADK). With ADK, each time a message is encrypted to a key, that message is also encrypted to the ADK. In the event a key is lost or unavailable, organizations can use the ADK to decrypt the message and recover the encrypted data, thus reducing the likelihood of important data loss, PGP says.

The timeline for iSeries and zSeries support in PGP Command Line has not yet been nailed down. PGP says a version of this product for Linux iSeries and zSeries environments (but only SuSE Linux) will be available in the first quarter. Support for native OS/400, "i/OS" (PGP's Freudian slip on i5/OS), z/OS, and Red Hat Linux "will follow," the company says. Pricing will start at $7,500 for a single server.

iSeries shops interested in licensing PGP Command Line version 9.0 should contact Patrick Townsend & Associates, the Olympia, Washington, OS/400 software vendor that PGP is partnering with to tackle the iSeries and zSeries markets.

Pat Townsend debuted a native OS/400 version of PGP less than a year ago (see "Pat Townsend Can Encrypt iSeries Tape Backups with PGP").