Introduction

Key management is an essential aspect of managing secure and resilient systems. The IBM Enterprise Key Management Foundation (EKMF) and the Key Management Interoperability Protocol (KMIP) are two key-management systems that provide real-time, centralized secure management of keys and certificates.

Data protection is often driven by industry regulations. However, compliance with regulations is only the minimum protection level. One of the most effective ways to protect data is to encrypt it. With the encryption of data, encryption keys become the most sensitive pieces of data. Therefore, special care must be taken in managing such keys since both their disclosure and their loss can have harmful effects on the enterprise. The control of such keys is assigned to special experts (security officers) and they must follow guidelines that are imposed by the enterprise, or other regulatory bodies.

Linux on IBM Z® and IBM LinuxONE offers pervasive encryption for data volumes for data at-rest through dm-crypt using secure keys that are managed with the help of the zkey utility.

Key management on the enterprise level

On Linux, a secure key repository controlled by the zkey utility can be used to manage secure keys to encrypt Linux volumes. To encrypt volumes, you use dm-crypt with the protected-key cipher paes. The encryption keys are protected by a Crypto Express adapter. The zkey command manages those keys locally on the system it runs.

To manage keys across your enterprise from a central location, not separately on each system, you can use the zkey utility with the key-management system plug-in interface. Key-management systems can provide a plug-in and thus can integrate themselves into the zkey utility. The zkey utility does not need to know any details about the key-management system, it just uses the plug-in to interface with the key-management system.

Using an enterprise-wide key management system includes these benefits:
  • You can centrally manage the full lifecycle of cryptographic keys, including creation, access, maintenance, decryption, and destruction.
  • It helps ensuring industry compliance. As compliance rules change, a centralized system that adheres to a standardized key management policy that is implemented across the organization can simplify updates.
  • You can share keys across Linux instances, if these instances share encrypted volumes.