IBM has been building security into their IBM z platform for decades. Pervasive Encryption is a different way to think about security. It’s meant to allow you to secure your data at rest, as well as in flight, with minimal impact on server performance or the need to make changes to your applications. To accomplish this, IBM provides additional processing features on IBM z and LinuxOne that allow for the offloading of cryptographic functions, such as those needed to encrypt data, as well as those needed to provide secure communication sessions using SSL/TLS and many other functions. This is accomplished using a co-processor that comes with each central processor (GP) or Integrated Facility for Linux (IFL) processor, as well as optional PCIe adapters that run as co-processor or accelerators. Both of these co-processors have evolved over time with the different generations of z systems, adding new functionality and speed with each new generation. The type of data that can participate in pervasive encryption has evolved as well. For example, z/VM paging volumes can be encrypted, as well as z/OS data used, with the z/OS coupling facility.
CPACF – CP Assist for Cryptographic Functions
CPACF is a co-processor that comes with each of your general purpose or Integrated Facility for Linux processors and is used for various types of cryptographic functions. These functions include using clear keys or protected keys and are used synchronously, meaning the CPU and the co-processor work together to process a request. Cryptographic functions include encryption, decryption, hashing and random number generation. Within the context of Pervasive Encryption and Linux, these functions can be used to facilitate data encryption and data in flight, such as SSL/TLS processing. CPACF performance is based on the type of cryptographic functions being performed. For example, during SSL/TLS communications, the large amount of different and short duration connections has a greater impact on CPACF performance and usage than processing keys used to encrypt and decrypt data sets or volumes.
Crypto Express6S is an optional feature that can be added to your IBM z14 or LinuxOne to allow for three different types of operation, depending on your needs. These three different configurations are:
1) CCA co-processor
2) PKCS #11 co-processor
3) An accelerator
Each of these configurations have different functions and use cases. You can have up to sixteen (16) crypto express cards on your system, and these cards can be shared across all your logical partitions. Each partition only has access to its own assigned co-processor or accelerator so that it can’t access any other partitions’ data. When you order these features, they must be initially ordered as a pair, and then they can be added one or more at a time. The pair requirement is there to provide redundancy. These cards support over three hundred (300) different cryptographic algorithms and modes. These crypto express cards work asynchronously, allowing the offload of cryptographic functions and freeing up processor cycles.
When configured as a co-processor, the crypto express cards provide a wide range of functionality around encryption of data, key generation and management, random number generation, hashing, credit card transaction processing and much more. The crypto express cards are also hardware security modules (HSM) that are tamper resistant and used to store various types of encryption keys. When configured as a co-processor, these cards can be configured to meet various industry standards, such as FIPS 140-2 Level 4, as well as others.
When configured as an accelerator, the crypto express card can be used to offload SSL/TLS processing, making this a great option for web applications, etc. This can be extremely beneficial if you have a high degree of traffic.
I have recorded a presentation and demonstration on how to set up and use the Crypto Express6s. In this presentation, I show how to configure the card and use it to offload the SSL/TLS processing using a web server. The difference between using just the IFL (Integrated Facility for Linux) and using the crypto express card is dramatic.
How to Use when running Linux on IBM z and LinuxOne
To utilize these features under Linux when running on IBM z or LinuxOne, there are a few software packages that need to be present on your system. These include:
1) The ibmca and libica packages, which interface with the crypto express features
2) Other packages, depending on the purpose of the crypto express features (i.e. OpenSSL to offload SSL/TLS processing)
3) The zcrypt kernel module to allow access to the crypto express features. This is normally present by default on most recent distributions but can be activated if not.
The setup to use the crypto express cards is straight forward and can be accomplished in a short amount of time.
Using the CPACF and Crypto Express6s on the IBM z and LinuxOne allows you to utilize pervasive encryption with less impact on your IFL’s. These features offer the benefits of higher security without burdening the more costly CPU. Besides the z14 and LinuxOne models of z systems, other earlier models can also take advantage of pervasive encryption utilizing the earlier version of the crypto express card, such as the z13 with the Crypto Express5S.
As an IBM Platinum Business Partner, Mainline has extensive experience with IBM mainframe systems, and can help you with z/VM, Linux on IBM Z and LinuxOne. To set up an in-depth discussion about how to get started using these technologies, please contact your Mainline Account Executive directly or click here to contact us with any questions.
Related Blogs and Videos:
» Webinar Replay: Linux on Z and Crypto Express
» Webinar Replay: Installing Linux on IBM System Z using Distribution Scripting Tools