Pervasive Encryption: Linux on Z and Data at Rest

Andy Hartman
Senior Consultant

IBM’s Pervasive Encryption on IBM Z and LinuxOne servers takes many forms. It provides encryption of “Data in Flight” for SSL/TLS transactions in and out of the server, and it provides encryption of “Data at Rest”. z/VM and Linux running on IBM Z can take advantage of this technology in various ways.

Taking Advantage of Data Encryption on IBM Z

On z/VM, paging and virtual disks can be encrypted so that no previously encrypted data is paged out or stored on a virtual disk used as Linux swap space in plain text. Linux on Z can encrypt disk partitions and file systems. Pervasive Encryption can be used to encrypt data volumes and can be used to encrypt swap disks.

The encryption of data involves:

The CPACF coprocessor to perform the encryption and decryption
The Crypto Express Card to store and present the master key used to encrypt and decrypt the data, and
The s390-tools-zkey Linux package used to access the crypto express master keys for encrypting and decrypting data.

The encrypted disks utilize a plain or LUKS (Linux Unified Key Setup) format to store data on the partition along with metadata and key components.

Secure Service Containers (SSC)

In addition to “Data in Flight” and “Data at Rest”, there are additional features that can be exploited to secure your workloads. Secure Service Containers (SSC) are a recent addition to IBM Z servers. These special logical partitions (LPAR) contain secure Linux images running docker containers. These Secure Service Container LPARs provide even more security beyond encrypting communications and data on disk. They provide a secure boot environment and a secure image process that ensures the boot process and the image you are booting are not tampered. These LPARs restrict your access to approved APIs so that only secure communications and access are provided to this server.

The SSC technology is the basis for other IBM innovations like Blockchain implementations and Hyper Protect offerings. These are different application and middleware stacks targeted towards specific customer needs, such as Hyper Protect Database as a Service. The SSC LPARs can be utilized with IBM Cloud Private (ICP) and IBM Cloud Pak platforms, the latter built on Red Hat OpenShift. Both these solutions allow you to build a hybrid cloud environment and exploit the security benefits of the Secure Service Containers.

Encrypting Disks – Protecting “Data at Rest”/span>

Like encrypting communications, encrypting disks involves a set of hardware features on the IBM Z and LinuxOne. These features are described below.

CPACF – CP Assist for Cryptographic Functions

CPACF is a co-processor that comes with each of your general purpose or Integrated Facility for Linux (IFL) processors and is used for various types of cryptographic functions. These functions include using clear keys or protected keys and is used synchronously, meaning the CPU and the co-processor work together to process a request. Cryptographic functions include encryption, decryption, hashing and random number generation. Within the context of Pervasive Encryption and Linux these functions can be used to facilitate data encryption and data in flight such as SSL/TLS processing. CPACF performance is based on the type of cryptographic functions being performed for example, during SSL/TLS communications, the large amount of different and short duration connections has a greater impact on CPACF performance and usage then processing keys used to encrypt and decrypt data sets or volumes.

Crypto Express 6/7S

Crypto Express6/7S (z14/z15) is an optional feature that can be added to your IBM z14 / z15 or LinuxOne to allow for three different types of operation depending on your needs. These three different configurations are:

1) CCA co-processor
2) PKCS #11 co-processor
3) An accelerator

Each of these configurations have different functions and use cases. You can have up to sixteen (16) crypto express cards on your system and these can be shared across all your logical partitions (LPARs). Each partition only has access to its own assigned co-processor or accelerator so that it can’t access any other partitions data. When you order these features, they must be initially ordered as a pair and then they can be added one or more at a time. The pair requirement provides redundancy. These cards support over three hundred (300) different cryptographic algorithms and modes. These crypto express cards work asynchronously allowing the offload of cryptographic functions and freeing up processor cycles.

When configured as a co-processor the crypto express cards provide a wide range of functionality around encryption of data, key generation and management, random number generation, hashing, credit card transaction processing and much more. The crypto express cards are also hardware security modules (HSM) that are tamper resistant and used to store various types of encryption keys.

When configured as a co-processor these cards can be configured to meet various industry standards such as FIPS 140-2 Level 4 as well as others.
When configured as an accelerator, the crypto express card can be used to offload SSL/TLS processing making this a great option for web applications etc. This can be extremely beneficial if you have a high degree of traffic.
When utilizing these hardware features for data encryption, the Crypto Express Card is utilized as a Hardware Security Module and the CPACF coprocessor is used to perform the cryptographic functions when encrypting and decrypting data.

Trusted Key Entry Workstation

This is a highly secure separate workstation that is used to load and manage cryptographic master keys in the Crypto Express Cards. Although not an absolute requirement, for a Linux only environment that does not have access to z/OS ICSF, it is highly recommended for ease of use and security.

A Note About Key Management

Before you begin to configure and utilize disk encryption on Linux on Z or LinuxOne it is critical that you have good key management processes in place. When encrypting data, the cryptography keys used to encrypt this data become critical to the usability of this data. If you lose the keys the data cannot be recovered. You may already have processes in place for other areas of your business to handle key management for z/OS or your storage subsystems for example. These should be reviewed and modified to incorporate Linux on Z or LinuxOne. You need to consider additional items beyond just creating and storing master keys. These include designation of key owners, key retention policies, backup and recovery of keys and disk encryption meta data areas, long term storage of keys and how to maintain keys that may be needed years in the future to retrieve old data.

When creating and storing master keys for use with Linux on Z and LinuxOne, there are several options available for this purpose:

EKMF – Enterprise Key Management System – A centralized key management system used to manage keys and certificates, used for a more comprehensive management solution for multiple different environments
Trusted Key Entry Workstation – Highly secure separate physical workstation that manages keys in crypto express cards, GUI based, also useful for good key management practices such as separation of key parts, separation of individuals and the use of smart cards – recommended for Linux on Z environments
z/OS ICSF – Integrated Cryptographic Service Facility – used to manage crypto express cards from z/OS and is integrated with RACF or other security management solutions
Panel.exe (Linux) – used to load master keys into a crypto express card – can be used for testing, not recommended for production – not very secure and cumbersome with more than a few domains

How to Use when running Linux on IBM Z and LinuxOne

To utilize these features under Linux when running on IBM Z or LinuxOne, there are a few software and hardware requirements that need to be present on your system. These include:

Hardware required:
CPACF Feature Code – 3863
Crypto Express Cards – Two minimum – model based on the model of your processor

Linux Versions required:
SLES 15 or later, RHEL 7.6 or later, UBUNTU 18.10 or later, these releases are required to support LUKS2 format – older versions will support plain and luks1 disk encryption. Check your distribution for details.

Linux Software required:
s390-tools-zkey – needed to utilize the crypto express master keys for encrypting data
csulcca – recent/latest version – Only needed if you are going to use the panel.exe to load master keys into the crypto express cards – it’s an rpm package for SuSE and Red Hat and a deb package for Ubuntu
cpacfstats/d – used to measure CPACF usage if Linux is running in an LPAR

z/VM Encrypted Paging requirements:
z/VM 6.4 or 7.1 with appropriate maintenance to utilize ENCRYPT PAGING command

Benefits

Using the CPACF and Crypto Express 6/7s on the IBM Z and LinuxOne allows you to utilize disk encryption with master keys that are protected within the best hardware security module in the industry. This keeps your data safe from loss or theft. Even if you lose the data or it is stolen, it can’t be read without these master keys. Various models of the IBM Z and LinuxOne processors can take advantage of disk encryption, such as the IBM z14 and z15 alone with the LinuxOne Rockhopper and Emperor models.

Watch Replays

Data at Rest: Watch the replay of my webinar and demo which focused on how Linux on Z can secure “Data at Rest” (disk encryption).

Watch the replay: Pervasive Encryption on Linux on Z

Data in Flight: In a previous blog article and webinar and demo, I discussed securing “Data in Flight” in greater detail. This involves configuring the IBM Crypto Express Card to act as an accelerator and offload SSL/TLS transactions for web servers and other types of communications such as SSH and secure ftp transfers.

Read my blog about securing “Data in Flight”

Watch the replay: Linux on Z and Crypto Express Cards

More Information
As an IBM Platinum Business Partner, Mainline has extensive experience with IBM mainframe systems, and we can help you with z/VM, Linux on IBM Z and LinuxOne. To set up an in-depth discussion about how to get started using these technologies, please contact your Mainline Account Executive directly or click here to contact us with any questions.