Generating secure keys using the pkey device driver

6.10 LPAR mode z/VM guest KVM guest

The pkey device driver uses random data from an AP queue to generate secure keys.

Such keys can be used for example, for swap disks where you might want a new key to be generated at every boot. Secure keys for this and other purposes can be read from secure key sysfs attributes.

Alternatively to sysfs, you can use the ioctl calls, see External programming interfaces.

Procedure

Read the sysfs attribute according to the required the type, length, and cipher mode of the key.

  • For a CCA AES data secure key, read from one of the attributes in /sys/devices/virtual/misc/pkey/ccadata. The following attributes are available:
    • ccadata_aes_128
    • ccadata_aes_192
    • ccadata_aes_256
    • ccadata_aes_128_xts
    • ccadata_aes_256_xts
  • For a CCA AES cipher secure key read from one of the attributes in /sys/devices/virtual/misc/pkey/ccacipher. The following attributes are available:
    • ccacipher_aes_128
    • ccacipher_aes_192
    • ccacipher_aes_256
    • ccacipher_aes_128_xts
    • ccacipher_aes_256_xts
  • For an EP11 AES secure key read from one of the attributes /sys/devices/virtual/misc/pkey/ep11. The following attributes are available:
    • ep11_aes_128
    • ep11_aes_192
    • ep11_aes_256
    • ep11_aes_128_xts
    • ep11_aes_256_xts

Results

Attributes for non-XTS keys yield exactly one secure-key token. Attributes for XTS cipher mode yield two concatenated secure-key tokens. The length of a token also varies by key type and length as summarized in Table 1.

Table 1. Length of the attribute values
Key type Attribute length non-XTS (single key token) Attribute length XTS (two key tokens)
CCA AES data secure key 64 bytes 128 bytes
CCA AES cipher secure key 136 bytes 272 bytes
EP11 AES secure key 320 bytes 640 bytes