Highly sensitive workloads on Linux on IBM Z and LinuxONE can use the premium protection of Crypto Express 8S adapters in CCA or EP11 mode. Workloads can use Crypto Express 8S adapters as directly attached Hardware Security Modules (HSMs) at various levels of virtualization: in an LPAR, a z/VM or KVM guest, or in a Kubernetes container on Red Hat OpenShift.

With IBM z16 and LinuxONE 4 (GA 1.5) it is possible to securely attach a domain of a Crypto Express 8S adapter to a secure execution guest, allowing a tenant to run sensitive workloads with HSM access in a cloud environment, even if the tenant does not trust all levels of the cloud administration.

This IBM Redbooks publication also explains how to connect a Trusted Key Entry system to IBM Z or LinuxONE hardware to configure Crypto Express adapters. In particular, we address running a secure execution guest that uses a Crypto Express adapter.

Additionally, this publication will provide a high level end-to-end overview of how to set up cryptographic resources on all required levels, including hardware, hypervisor, cluster, and operating system or container such that it can run a crypto workload in the cloud and is intended for IT Architects, IT Specialists and system administrators.

Chapter 1. Introduction

Chapter 2. Overview of our environment

Chapter 3. Chapter 3: Configure LINUX guests to use CEX adapters

Chapter 4. Using a CEX resource within a containerized environment

Chapter 5. Guest/workload considerations for using HSMs in the cloud