Introduction and general concepts

Edit online

Key management is an essential aspect of managing secure and resilient systems. The IBM Enterprise Key Management Foundation (EKMF) is a key-management system that provides real-time, centralized secure management of keys and certificates. Many key-management systems are based on the Key Management Interoperability Protocol (KMIP), which is also supported on Linux.

Data protection is often driven by industry regulations. However, compliance with regulations is only the minimum protection level. One of the most effective ways to protect data is to encrypt it. With the encryption of data, encryption keys become the most sensitive pieces of data. Therefore, special care must be taken in managing such keys since both their disclosure and their loss can have harmful effects on the enterprise. The control of such keys is assigned to special experts (security officers) and they must follow guidelines that are imposed by the enterprise, or other regulatory bodies.

Linux on IBM Z® and IBM LinuxONE offers pervasive encryption for data volumes for data at-rest through dm-crypt using secure keys that are managed with the help of the zkey utility.

Key management on the enterprise level

On Linux, a secure key repository controlled by the zkey utility can be used to manage secure keys to encrypt Linux volumes. To encrypt volumes, you use dm-crypt with the protected-key cipher paes. The encryption keys are protected by a Crypto Express adapter. The zkey command manages those keys locally on the system it runs.

To manage keys across your enterprise from a central location, not separately on each system, you can use the zkey utility with the key-management system plug-in interface. Key-management systems can provide a plug-in and thus can integrate themselves into the zkey utility. The zkey utility does not need to know any details about the key-management system, it just uses the plug-in to interface with the key-management system.

Using an enterprise-wide key management system includes these benefits:
  • You can centrally manage the full lifecycle of cryptographic keys, including creation, access, maintenance, decryption, and destruction.
  • It helps ensuring industry compliance. As compliance rules change, a centralized system that adheres to a standardized key management policy that is implemented across the organization can simplify updates.
  • You can share keys across Linux instances, if these instances share encrypted volumes.
Figure 1 illustrates the concept of a central KMS. The figure also illustrates how to set up a backup system: Linux instance 1 and 2 have a hardware disk-mirroring connection through PPRC between their disks. The keys for such mirrored instances can be easily fetched from the KMS.
Figure 1. A central KMS serves multiple Linux systems. Keys can be populated in the local zkey repositories.

This graphic is described in the text before it.

Overview of KMS plug-in integration steps

Key-management system plug-ins for EKMF Web and KMIP are available for Linux on IBM Z and LinuxONE.

The zkey utility can integrate with a key-management system. Thus, the key-management system can manage keys used by multiple Linux instances to encrypt volumes. The Linux instance must have access to a cryptographic adapter.

With EKMF Web or KMIP for Linux, security is emphasized. Keys are never exposed in plain text, and are only available to authorized parties, where both the key protection and the authentication of authorized parties is secured by HSMs.

The following steps provide an overview of the setup for a key-management system. For details, see Using the EKMF plug-in or Using the KMIP plug-in.

Procedure:
  1. Ensure the key-management system plug-in that you want to work with is available.
  2. Bind the local key repository to the plug-in
  3. Configure the plug-in.
    Configuring the plug-in usually entails:
    • Configuring AP queues.
    • Establishing communication with a server.
    • Defining supported key types
Figure 2 shows a schematic overview of a KMS plug-in integrated with zkey and a KMS server. The secure connection between the plug-in and the server uses TLS and a transport key to protect the keys to be exchanged. Typically, with an enterprise key management system, keys are generated inside the KMS and can be downloaded to local zkey repositories of authorized clients.
Figure 2. A KMS plug-in integrated with a KMS server
On the left, a Linux instance servers a KMS client, connected through a secure connection to a KMS server on the right
Once your set up is complete, you can use the zkey utility to perform all the tasks to manage your keys including:
  • Generating keys in the KMS
  • Modifying properties of keys in the KMS
  • Listing keys of the client in the KMS
  • Removing keys
The details of these operations are specific to the plug-ins and are described in detail in the plug-in specific part: