Hardware security modules (HSMs)

IBM Crypto Express adapters are tamper-responding HSMs that support cryptographic operations using secure keys.

These secure keys can only be used on a specifically configured HSM. That is, the plaintext value of a secure key is never observable inside an operating system. IBM Crypto Express adapters [3] have earned the highest level of certification, FIPS 140-2 level 4, and can be configured in different modes:

  • HSMs configured as Common Cryptographic Architecture (CCA) adapters are intended for the financial industry and are certified as payment card industry (PCI) compliant.
  • HSMs configured as Enterprise PKCS #11 (EP11) adapters are intended for workloads using the PKCS #11 standard.

You can plug up to 60 Crypto Express adapters into a LinuxONE system. Each adapter can be logically partitioned into up to 85 domains, each acting as an independent virtual HSM. With this partitioning, thousands of virtual machines can access a dedicated virtual HSM. LinuxONE can access these adapters through the zcrypt device driver [4]. This device driver supports configurations for redundant HSMs to handle HSM failover and load balancing of cryptographic requests transparently to applications.

SEL guests can be configured to securely use Crypto Express 8S adapters configured as accelerators or EP11 HSMs using a pass-through attachment.