Hardware requirements

IBM Encryption Facility for z/OS Version 1.2 runs on System z mainframe processors that are currently in service with IBM. If a System z mainframe processor level goes out of service with IBM, Encryption Facility for z/OS will no longer be supported on that processor level and you must upgrade to a System z mainframe processor level that is still in service.

The cryptographic options for Encryption Services CSDFILEN and CSDFILDE are:
  • For the PASSWORD option, use one of the following:
    • CPACF only, or CPACF with PCIXCC / CEX2C / CEX3C / CEX4C
    • CCF
  • For the CLRTDES and CLRAES128 (no ENCTDES), use one of the following:
    • CPACF only, or CPACF with PCIXCC / CEX2C / CEX3C / CEX4C
    • CCF, or CCF with PCICC
  • For 2048-bit keys, use one of the following:
    • CEX2C / CEX3C / CEX4C
    • PCIXCC
    • PCICC with PCI Crypto 2048 bit Enablement Feature 0867
  • For RSA keys generated through RACF using ICSF or directly through ICSF, use one of the following:
    • CEX2C / CEX3C / CEX4C
    • PCIXCC
    • PCICC
  • For 1024-bit ME keys generated through RACF BSAFE and imported into ICSF, a CCF is required.

Performance for secure key (ENCTDES option) is slower than clear key (CLRTDES or CLRAES128). IBM recommends the use of clear key for encrypting large volumes of data. See z/OS Cryptographic Services ICSF Overviewz/OS Cryptographic Services ICSF Overview for a description of protected-key CPACF.

OpenPGP support and hardware cryptography

For AES or TDES symmetric encryption, use one of the following:
  • CPACF only (no cryptographic coprocessors). The -c command for passphrase-based encryption (PBE) is supported in a CPACF only environment with no cryptographic coprocessors. The -e command for public-key cryptography is not available in a CPACF only environment because a cryptographic coprocessor is required to encrypt the symmetric session key.
  • CPACF with PCIXCC / CEX2C / CEX3C / CEX4C
  • CCF
  • CCF with PCICC
For signatures or session key encryption using 2048-bit keys or 2048-bit RSA key generation, use one of the following:
  • CEX2C / CEX3C / CEX4C
  • PCIXCC
  • PCICC with PCI Crypto 2048 bit Enablement Feature 0867

For signatures or session key encryption using RSA 1024-bit ME keys generated through RACF BSAFE, imported into ICSF, and prepared for OpenPGP use, a CCF is required.

For signatures or session key encryption using RSA keys generated through RACF using ICSF or directly through ICSF and prepared for OpenPGP use, use one of the following:
  • CEX2C / CEX3C / CEX4C
  • PCIXCC
  • PCICC
Parent topic: Hardware and software requirements