Crypto Express adapters on secure guests

Use Crypto Express adapters on your secure guest for cryptographic operations. A secure guest can use domains of a Crypto Express adapter that are configured as accelerators or an EP11 coprocessor (hardware security modules).

On IBM Z® and IBM® LinuxONE, Crypto Express adapters with their virtual hardware security modules (HSM) are the natural choice for hardware-powered and -secured encryption.

Using a virtual HSM for a KVM guest that runs in IBM Secure Execution mode ensures that:

  • Your guest can distinguish its HSM from a tampered substitute that holds a master key known to an attacker.
  • You prevent a compromised hypervisor or peer guest from extracting sensitive data from your exchanges with your Crypto Express adapter.
  • You prevent a malicious peer guest from using your HSM to decrypt data with a stolen secure key.

Secure Execution for Linux uses a special secret to associate a secure guest to an HSM. The untrusted provider of the host environment configures the HSM for the KVM guest, but cannot use it once it is associated with the secure guest.

For details of how to set up a virtual HSM for your guest, see Crypto Express adapters for secure-execution guests.