Highly sensitive workloads on Linux on IBM Z and LinuxONE can use the premium protection of Crypto Express 8S adapters in CCA or EP11 mode. Workloads can use Crypto Express 8S adapters as directly attached Hardware Security Modules (HSMs) at various levels of virtualization: in an LPAR, a z/VM or KVM guest, or in a Kubernetes container on Red Hat OpenShift.
With IBM z16 and LinuxONE 4 (GA 1.5) it is possible to securely attach a domain of a Crypto Express 8S adapter to a secure execution guest, allowing a tenant to run sensitive workloads with HSM access in a cloud environment, even if the tenant does not trust all levels of the cloud administration.
This IBM Redbooks publication also explains how to connect a Trusted Key Entry system to IBM Z or LinuxONE hardware to configure Crypto Express adapters. In particular, we address running a secure execution guest that uses a Crypto Express adapter.
Additionally, this publication will provide a high level end-to-end overview of how to set up cryptographic resources on all required levels, including hardware, hypervisor, cluster, and operating system or container such that it can run a crypto workload in the cloud and is intended for IT Architects, IT Specialists and system administrators.
Chapter 1. Introduction
Chapter 2. Overview of our environment
Chapter 3. Chapter 3: Configure LINUX guests to use CEX adapters
Chapter 4. Using a CEX resource within a containerized environment
Chapter 5. Guest/workload considerations for using HSMs in the cloud
The material included in this document is in DRAFT form and is provided 'as is' without warranty of any kind. IBM is not responsible for the accuracy or completeness of the material, and may update the document at any time. The final, published document may not include any, or all, of the material included herein. Client assumes all risks associated with Client's use of this document.