IBM Crypto Express features

A Crypto Express feature (CEX*S feature) is often also referred to as cryptographic card or cryptographic adapter or just adapter. Beginning with CEX4S, a CEX*S feature can be configured in three modes: Either as cryptographic accelerator (CEX*A), or as CCA coprocessor (CEX*C) for secure key encrypted transactions, or in EP11 coprocessor mode (CEX*P) for exploiting Enterprise PKCS #11 functionality. Because an IBM Crypto Express feature is tamper-responding while safeguarding and administering secret master keys and performing cryptographic operations on the keys protected by the coprocessor, such a coprocessor is also called a hardware security module (HSM). A cryptographic coprocessor is divided into multiple domains, also called AP queues. Each AP queue acts as an independent cryptographic device (HSM) with its own state, including its own master key or set of master keys.

An HSM is a general-purpose computing environment that can generate and shield master keys. When containing master keys, it withstands both physical and logical attacks. An HSM has special hardware to perform cryptographic operations. The HSM is accessed from a host computer system using a carefully-designed set of API functions.

In general, IBM Crypto Express adapters generate and process secure keys (which are clear keys encrypted by a high secure and shielded master key). IBM Crypto Express features configured as accelerator or as CCA coprocessor also generate and process clear keys. Each domain of a cryptographic coprocessor can contain active master keys which are used to generate secure keys. Thus, a secure key is actually an effective key (clear key) wrapped by the tamper-proof master key of a domain within a cryptographic coprocessor. Secure keys are persistent key objects that can be safely stored on unprotected media, because they are protected by a specific master key that resides in a hardware security module certified with FIPS 140-2 Level 4. Using these keys requires access to a domain of a cryptographic coprocessor where the master key is activated.

If data needs to be encrypted or decrypted, it is sent to the cryptographic coprocessor where it is processed by the effective key which in turn is extracted (unwrapped) from the secure key with the help of the master key.

Note: OpenSSL only exploits cryptographic hardware functions that use plaintext keys (also called clear keys). That is, it exploits CPACF functions, the functions provided by the Crypto Express adapters in accelerator mode, and the clear key RSA and EC functions provided by the Crypto Express adapters in CCA mode.

You can find more information about IBM Crypto Express cryptographic coprocessors in this web site: 

https://www.ibm.com/security/cryptocards

A Crypto Express adapter configured as accelerator supports modular exponentiation in standard and Chinese Remainder Theorem (CRT) format for a modulus length up to 4096 bits as used by RSA, DH, and DSA algorithms.

Refer to Device Drivers, Features, and Commands that applies to your distribution for information about how to work with cryptographic coprocessors.