Configuring libzpc

For the standard use cases when working with libzpc, at least one Crypto Express adapter with a master key configuration is required. A new protected key can thus be derived from a persistent secure key which is wrapping the required effective key. It also requires a kernel (6.13) with support for pvsecrets.

Starting with version 1.3, libzpc supports protected keys derived from ultravisor retrievable secrets. Support for such protected keys can only be exploited on a KVM guest running with IBM® Secure Execution for Linux® (KVM SEL guest) on an IBM z17 ™ processor. For these types of protected keys, no cryptographic coprocessor is required.

For the standard use cases, depending on the crypto library accessed by your application, you need a cryptographic coprocessor configured in CCA mode or a Crypto Express EP11 coprocessor. To support these coprocessors, the respective libraries are required: the CCA host library libcsulcca.so or the EP11 host library libep11.so which you can access from the CEX8S Linux on IBM Z website.

The libzpc library uses the cryptographic coprocessor to derive a new protected key from a permanent secure key, both using the same effective key. As protected keys are volatile, this method ensures that a new protected key with the same wrapped effective key can always be derived whenever an old protected key does no longer exist.

To support IBM Crypto Express cryptographic coprocessors and protected keys, the respective device drivers are required. These are documented in Device Drivers, Features, and Commands in chapters Generic cryptographic device driver and Protected key device driver.

For information on how to set an AES master key for a cryptographic coprocessor with the help of a Trusted Key Entry workstation (TKE) read How to set an AES master key .