Skip to main content

Crypto Express for Cloud Workloads

A draft IBM Redbooks publication


Last updated on 08 March 2024

  1. .PDF (7.6 MB)

Share this page:   

IBM Form #: SG24-8547-00

Authors: Lydia Parziale, Marco Egli, Harald Freudenberger, Savitri Hunasheekatti and Irmes Sandor

    menu icon


    Highly sensitive workloads on Linux on IBM Z and LinuxONE can use the premium protection of Crypto Express 8S adapters in CCA or EP11 mode. Workloads can use Crypto Express 8S adapters as directly attached Hardware Security Modules (HSMs) at various levels of virtualization: in an LPAR, a z/VM or KVM guest, or in a Kubernetes container on Red Hat OpenShift.

    With IBM z16 and LinuxONE 4 (GA 1.5) it is possible to securely attach a domain of a Crypto Express 8S adapter to a secure execution guest, allowing a tenant to run sensitive workloads with HSM access in a cloud environment, even if the tenant does not trust all levels of the cloud administration.

    This IBM Redbooks publication also explains how to connect a Trusted Key Entry system to IBM Z or LinuxONE hardware to configure Crypto Express adapters. In particular, we address running a secure execution guest that uses a Crypto Express adapter.

    Additionally, this publication will provide a high level end-to-end overview of how to set up cryptographic resources on all required levels, including hardware, hypervisor, cluster, and operating system or container such that it can run a crypto workload in the cloud and is intended for IT Architects, IT Specialists and system administrators.

    Table of Contents

    Chapter 1. Introduction

    Chapter 2. Overview of our environment

    Chapter 3. Chapter 3: Configure LINUX guests to use CEX adapters

    Chapter 4. Using a CEX resource within a containerized environment

    Chapter 5. Guest/workload considerations for using HSMs in the cloud


    Special Notices

    The material included in this document is in DRAFT form and is provided 'as is' without warranty of any kind. IBM is not responsible for the accuracy or completeness of the material, and may update the document at any time. The final, published document may not include any, or all, of the material included herein. Client assumes all risks associated with Client's use of this document.