Pervasive encryption and protected key cryptography
Each processor of an IBM Z® or LinuxONE system has a special component called Central Processor Assist for Cryptographic Functions (CPACF) [5]. CPACF accelerates the most common cryptographic operations that are standardized by the US National Institute of Standards and Technology (NIST), for example AES, SHA2, SHA3, ECDH, and ECDSA [6].
CPACF also supports a unique feature called protected key cryptography. A protected key is a clear key that is encrypted by a key-encrypting key (KEK) hidden in the firmware that is specific to a virtual machine. A protected key can be used for cryptographic operations that use CPACF. The CCA and EP11 HSMs can covertly convert CCA and EP11 secure keys into protected keys. As with secure keys, plaintext values of protected keys are never observable by an operating system. This makes protected keys ideal for bulk encryption, providing a high level of security as well as high-speed cryptography.
Linux end-to-end disk encryption is based on dm-crypt and LUKS, and can use protected keys. Substituting the AES cipher with the PAES cipher causes dm-crypt to encrypt volumes with protected keys which are derived from secure keys [8]. This solves two problems:
- The plaintext value of the key used to encrypt or decrypt the volume is never available in the operating system and therefore cannot be stolen.
- The secure key used to open a volume can safely be stored on unprotected storage, thus resolving the catch-22 situation of where to put the ultimate secret that protects a volume. Using secure keys eliminates the need to interactively query passphrases for each volume. Hence dm-crypt volumes can be programmatically opened.
Other exploiters of protected keys can be programs that call the CCA library or openCryptoki. Such programs can be configured to use protected keys instead of secure keys. Software vendors can use the libzpc library [9] to call protected-key cryptographic operations in their applications.