GitHubContribute in GitHub: Open doc issue|Edit online

Unified Key Orchestrator for IBM® z/OS® Overview

Unified Key Orchestrator for IBM® z/OS® is a key management service that provides you with management capabilities for pervasive encryption for IBM Z as well as Keep Your Own Key capability for cloud data encryption. Using FIPS 140-2 Level 4 certified hardware, UKO provides you with exclusive control of your encryption keys. With UKO, you can connect to keystores on z/OS, in IBM Cloud and third-party cloud providers, back up and manage keys using a unified system, and orchestrate keys for the on-premise or across multiple clouds.

Why UKO for pervasive encryption for IBM Z?

With the introduction of pervasive encryption for IBM Z, enterprises were faced with the challenge that the required keys for encryption needed to be created, managed and backed up. UKO offers a simple, single pane of glass for all those keys where their lifecycle can be managed.

Why UKO for keys in the cloud?

Many enterprises have the legal obligation to bring their own cryptographic keys when they move sensitive workloads to the cloud. Enterprises are adopting native encryption and key management offerings from cloud providers.

Dealing with multiple clouds means to deal with cryptographic keys in multiple key management services. This presents the following challenges:

  • High manual effort and susceptibility to errors when enterprises operate different key management systems
  • No control over the master key in external cloud key management systems
  • Shortage of data centers and skilled staff to operate hardware security modules (HSMs) for KYOK or BYOK

UKO alleviates the complexity of maintaining encryption across hybrid environments. You can integrate all your key management use cases into one consistent approach, backed by a trusted IBM Z HSM. It provides you with the following features:

  • Consistent user experience
  • Seamless integration into the existing hybrid frameworks
  • One point of control for multiple keys wether they are on-premise or in multiple clouds
  • Secure backup of all keys and easy restoration

Key features

UKO provides the following features:

  • Connection to external keystores

    UKO provides key lifecycle management according to NIST recommendations and secure transfer of keys to internal keystores in the service instance or external keystores. With UKO, you can push your keys to z/OS or third-party cloud keystores, such as Azure Key Vault, AWS Key Management Service (KMS), Google Cloud KMS, or IBM Key Protect for IBM Cloud, distribute keys across keystores, and manage keys and keystores through both the UI and REST API.

  • Unified key backup and management system

    UKO enables you to back up all keys in one central location. You can redistribute keys to quickly recover from fatal errors. And at the same time, you own the root trust of your key hierarchy.

  • Key orchestration across multiple environments

    You can orchestrate keys through a single and unified user experience across multiple z/OS systems or clouds with an auditable key lifecycle orchestration mechanism. For more information, see Monitoring the lifecycle of encryption keys in UKO and Auditing events for UKO.

For more information about UKO, see Introducing UKO.