Generating volatile protected keys by using the pkey device driver
![]()
You can generate protected keys from random data by reading the binary sysfs pkey attributes.
About this task
You do not need a Crypto Express adapter to generate a protected key from random data.
The /sys/devices/virtual/misc/pkey/protkey directory contains an attribute for each available key type. Read an attribute to obtain a protected key token.
Traditionally, AES-XTS keys provided through the protkey_aes_128_xts and protkey_aes_256_xts sysfs attributes are simply the concatenation of two AES-128 or two AES-256 keys, respectively.
With IBM® z17 ™, CPACF introduces enhanced performance for AES-XTS encryption using a new key format referred to as full AES-XTS keys. In this format, the two AES keys are stored differently to improve both performance and security. The protkey_aes_xts_128 and protkey_aes_xts_256 sysfs attributes provide key material in this new format.
- HMAC-SHA224
- HMAC-SHA256
- HMAC-SHA384
- HMAC-SHA512
Procedure
- protkey_aes_128
- protkey_aes_192
- protkey_aes_256
- protkey_aes_128_xts
- protkey_aes_256_xts
- protkey_aes_xts_128
- protkey_aes_xts_256
- protkey_hmac_512
- protkey_hmac_1024
For attributes related to the XTS cipher mode, you get two concatenated protected-key tokens, that is, you get 160 bytes when using the protkey_aes_128 or 256_xts attributes. You get one "full" XTS protected key token, that is, 80 bytes when using the protkey_aes_xts_128 file or 112 bytes when using the protkey_aes_xts_256 attribute.
Alternatively to sysfs, you can use the ioctl calls, see External programming interfaces.