Table of Contents
Advertisement
Wrapping keys are generated during the clear reset each time an LPAR is activated or reset.
No customizable option is available at the Support Element (SE) or Hardware Management
Console (HMC) that permits or avoids the wrapping key generation. Figure 6-5 shows this
function flow.
CCA
CCA Master Key
Figure 6-5 CPACF key wrapping
If a Crypto Express5S coprocessor (CEX5C) is available, a protected key can begin its life as
a secure key. Otherwise, an application is responsible for creating or loading a clear key
value, and then using the PCKMO instruction to wrap the key. ICSF is not called by the
application if Crypto Express5S is not available.
A new segment in the profiles of the CSFKEYS class in IBM RACF restricts which secure
keys can be used as protected keys. By default, all secure keys are considered not eligible to
be used as protected keys. The process that is described in Figure 6-5 considers a secure
key as being the source of a protected key.
The source key in this case already is stored in the ICSF cryptographic key data set (CKDS)
as a secure key, which has been encrypted under the master key. This secure key is sent to
Crypto Express5S to be deciphered, and sent to the CPACF in clear text. At the CPACF, the
key is wrapped under the LPAR wrapping key, and is then returned to ICSF. After the key is
wrapped, ICSF can keep the protected value in memory. It then passes it to the CPACF,
where the key is unwrapped for each encryption/decryption operation.
The protected key is designed to provide substantial throughput improvements for a large
volume of data encryption and low latency for encryption of small blocks of data. A high
performance secure key solution, also known as a protected key solution, requires the ICSF
HCR7770 as a minimum release.
210
IBM z13s Technical Guide
- Quick Links:
- Front Cover
Hide quick links:
Advertisement
Table of Contents
