Home Z software Z security Unified Key Orchestrator Unified Key Orchestrator for IBM z/OS
A centralized key management software for handling your sensitive encryption keys
Read the solution brief
Graphic illustration of enterprise data encryption

Unified Key Orchestrator for IBM® z/OS®, formerly IBM Enterprise Key Management Foundation-Web Edition, is a key management software that centrally orchestrates and secures the lifecycle of encryption keys across your enterprise for both on-premises and multiple cloud environments, including IBM Cloud®, AWS KMS, Azure Key Vault and Google Cloud.

Unified Key Orchestrator for z/OS (UKO for z/OS) can help your enterprise manage and move key management workloads across and between your on-premises and cloud environments, assisting with compliance and security. With UKO for z/OS, you can manage your encryption keys across your enterprise from a single, trusted user interface. Deployed as a z/OS software, UKO for z/OS enables you to orchestrate keys across all your IBM z/OS systems and multiple public clouds. It even extends support to key management for zKey on Linux® on IBM Z® and IBM Security® Guardium® Key Lifecycle Manager. Unified Key Orchestrator for z/OS is also designed for key management specific to IBM z/OS data set encryption to support your IBM Z Pervasive Encryption journey.

What's new Documentation

Updates and enhancement to functions and features


Find out how many keys should be used for z/OS data set encryption

Benefits Unified key management

Orchestrate your keys across your enterprise for both on-premises and cloud environments from a single pane of glass.

Multicloud key management

Prepare and use Bring Your Own Key (BYOK) for a secure transfer to IBM Cloud Key Protect, AWS KMS, Microsoft Azure Vault and Google Cloud.

Central backup and recovery

Back up and recover key material to prevent losing access due to cryptographic erasure.

Data set dashboard

Proactively manage your data set encryption deployment with an enterprise view of which data sets are encrypted and which keys are in use.

Security-rich key generation

Generate keys with IBM Federal Information Processing Standards (FIPS) 140-2 level 4 certified CryptoExpress card on IBM Z for hardware-generated keys.

Explore UKO security and compliance Explore IBM PCIe Cryptographic Coprocessor

Policy-based key generation

Create your key templates to generate keys that adhere to your internal policies such as enforcing key naming conventions.

Role-based access and dual control

Comply with security standards with role-based access that defines functions for each role, and enforce dual control requiring 2 or more people to activate EKMF.

External RESTful API

Integrate key management with your business processes. Set up keys for Pervasive Encryption, Key Protect, Azure, AWS, zkey, Google Cloud and IBM Security® Guardium® Key Lifecycle Manager (GKLM).

Creating key templates through the API

Advanced auditability and compliance

Provide auditors with consolidated key management logs for all keys managed.

Auditing events in UKO

Key rotation

Rotate managed keys, including master keys, on demand to comply with your policy requirements.

UKO-managed key rotation


Use secure repositories with fine-grained access controls known as vaults to enable multi-tenancy and self-service key management.

Secure room operation

Set up UKO for z/OS and Enterprise Key Management Foundation Workstation (EKMF Workstation) for secure room operation.

IBM EKMF Workstation with secure room operation
Technical details

When planning to install UKO, it is important to understand planning considerations and program requirements.

Program requirements

Get an understanding of supported operating systems, related software, hypervisors, hardware requirements and detailed system requirements, including component-level details.

Planning considerations

Get an understanding of specific installation skills required to prepare for the installation of UKO.

Resources zkey with UKO for z/OS on Linux on IBM Z

Learn how to use the zkey utility to perform all the tasks on UKO for z/OS to manage your keys.

z/OS Trusted Key Entry Workstation

Explore a set of wizards to help you manage your Trusted Key Entry (TKE) appliance and your host's crypto modules.

Keys usage for z/OS data set encryption

Find out how many keys should be used for z/OS data set encryption.

Related products IBM Cloud® Hyper Protect Crypto Services

Protect your data across multicloud environments and keep your own key (KYOK) for exclusive key control.

IBM PCIe Cryptographic Coprocessor

Use high performance hardware security module (HSM) for your high security cryptographic needs.

IBM Security Guardium Key Lifecycle Manager

Centralize, simplify and automate encryption key management process to protect encrypted data.

Next steps

Discover Unified Key Orchestrator for IBM z/OS. Schedule a no-cost 30-minute meeting with an IBM Z representative.

More ways to explore Documentation Support IBM Redbooks® Support and services Global financing Flexible pricing Education and training Community Developer community Business Partners Resources