IBM 4769 Crypto Card

Available as IBM Z® feature CEX7S, IBM Power Systems™ features EJ35 and EJ37, and x64 MTM 4769-001

4769 overview

The IBM 4769 Cryptographic Coprocessor is the latest generation and fastest of IBM's PCIe hardware security modules (HSMs). Its predecessors are the IBM 4768, IBM 4767, and IBM 4765.

The IBM 4769 is designed for improved performance and security rich services for your sensitive workloads, and to deliver high throughput for cryptographic functions. For a detailed summary of the capabilities and specifications of the IBM 4769, refer to the IBM 4769 Data Sheet (PDF, 383 KB).

Top view of 4769 Coprocessor version 4

Security certifications

FIPS 140-2 Level 4 – Highest cryptographic security level available

FIPS 140 defines security requirements for cryptographic modules. It is issued by the U.S. National Institute of Standards and Technology (NIST) and is widely used as a measure of the security of HSMs. The certification for the IBM CEX7S at Level 4, the highest level of certification achievable for commercial cryptographic devices, is in NIST's Coordination phase (link resides outside of


PCI HSM is the "Payment Card Industry Hardware Security Module" standard issued by the PCI Security Standards Council. It defines physical and logical security requirements for HSMs that are used in the finance industry. PCI HSM is one of the standards in the PCI PIN Transaction Security (PTS) device group. To view IBM firmware levels and devices that have achieved this certification, search by 'Company name' for "IBM Corporation" on the PCI PTS website (link resides outside of

Available on multiple platforms

The IBM 4769 is available on the following platforms:

IBM Z server


IBM Power Systems Server

IBM Power Systems

x64 server

x64 servers

IBM Z mainframe

The IBM 4769 is available as feature code (FC) 0898 and 0899 (Crypto Express7S, or CEX7S) on IBM Z mainframes (z15® only), either on z/OS® or Linux® on z Systems® operating systems.

  • FC 0898 and 0899 require FC 3863 - CPACF (Central Processor Assist for Cryptographic Functions) DES/TDES Enablement. CPACF is a set of cryptographic instructions providing improved performance through hardware acceleration. Using the cryptographic hardware, you gain security from using the CPACF and the Crypto feature through in-kernel cryptography APIs, and for Linux on z Systems the libica cryptographic functions library. Cryptographic keys must be protected by your application system, as required.

  • On z/OS, IBM offers the Integrated Cryptographic Service Facility (ICSF) component that ships with the base product. ICSF is the software on z/OS that provides access to the IBM Z CEX7S cryptographic hardware feature through the use of callable services that comply with IBM's Common Cryptographic Architecture (CCA). ICSF together with the IBM Resource Access Control Facility (RACF®) licensed program provide cryptographic services using the CCA security API.

  • On Linux on IBM Z, IBM offers a CCA API for the CEX7S and an IBM Enterprise PKCS #11 (EP11) API to the user. The CCA API shipped with the CEX7S is an enhanced version of the CCA API shipped with the CEX6S, CEX5S, CEX4S, or CEX3.

IBM Power Systems

The IBM 4769 is available as FC EJ35, Customer Card Identification Number (CCIN) C0AF (without blind-swap cassette custom carrier) and as FC EJ37, CCIN C0AF (with blind-swap cassette custom carrier) on IBM Power10® servers, either on IBM AIX®, IBM i®, or PowerLinux® (Red Hat® Enterprise Linux (RHEL) or SUSE® Linux Enterprise Server (SLES)) operating systems. It is also available as FC EJ35 and EJ37 on IBM Power9® servers, either on IBM AIX or IBM i.

x64 servers

The IBM 4769 is available as a machine type-model 4769-001 on x64 servers on supported RHEL 64-bit operating systems. IBM offers a Common Cryptographic Architecture (CCA) Support Program for the IBM 4769 PCIe Cryptographic Coprocessor, at no charge, to the user. CCA for the 4769 is an enhanced version of the CCA Support Program shipped with the IBM 4767 PCIe Cryptographic Coprocessor.

IBM 4769 hardware

The IBM 4769 hardware provides significant performance improvements over its predecessors while enabling future growth. The secure module contains redundant IBM PowerPC 476 processors, custom symmetric key and hashing engines to perform AES, DES, TDES, SHA-1 and SHA- 2, MD5 and HMAC as well as public key cryptographic algorithm support for RSA and Elliptic Curve Cryptography. Other hardware support includes a secure real-time clock, hardware random number generator and a prime number generator. The secure module is protected by a tamper responding design that protects against a wide variety of attacks against the system.

schematic of hardware layout.

Reliability, Availability, and Serviceability (RAS)

Hardware has also been designed to support the highest level of RAS requirements that enables the secure module to self-check at all times. This is achieved by running a pair of PowerPC processors in lock step and comparing the result from each cycle by cycle. Also all interfaces, registers, memory, cryptographic engines, and buses are protected at all times using parity, ECC (Error Correcting Codes), or CRC. Power on self-tests that are securely stored inside the secure module verify the hardware and firmware loaded on the module is secure and reliable at every power on. Then, the built-in RAS features check it continuously in real time.

Embedded certificate

During the final manufacturing step, the coprocessor generates a unique public/private key pair which is stored in the device. The tamper detection circuitry is activated at this time and remains active throughout the useful life of the coprocessor, protecting this private key as well as other keys and sensitive data. The public key of the coprocessor is certified at the factory by an IBM private key and the certificate is retained in the coprocessor. Subsequently, the private key of the coprocessor is used to sign the coprocessor status responses which, in conjunction with a series of public key certificates, demonstrate that the coprocessor remains intact and is genuine.

Tamper responding design

The IBM 4769 HSM is designed to meet the NIST FIPS 140-2 Level 4 requirements by protecting against attacks that include probe penetration or other intrusion into the secure module, side-channel attacks, power manipulation, and temperature manipulation. From the time of manufacture, the hardware is self-protecting by using tamper sensors to detect probing or drilling attempts. If the tamper sensors are triggered, the HSM destroys critical keys and certificates, and is rendered permanently inoperable. Note therefore that the HSM must be maintained at all times within the temperature, humidity, and barometric pressure ranges specified. Refer to the environmental requirements section below.

Tamper Enclosure Diagram showing secured components and circuitry, emc shield and hardware security module board.

CEX7S Technical specifications

Physical characteristics

Card type:   Half-height, half-length PCIe x4 card 
                       PCI Local Bus Specification 2.2
                       PCIe specification 1.1

Voltage:       +3.3 VDC ± 10% 23.44 W max

Required:     25 W min

System requirements

This section describes requirements for the system in which the CEX7S is installed.

Hardware                           The CEX7S can be installed in an IBM Z mainframe (currently, z15® only).

Environmental requirements

From the time of manufacture, the IBM CEX7S cryptographic card must be shipped, stored, and used within the following environmental specifications. Outside of these specifications, the CEX7S tamper sensors can be activated and render the CEX7S permanently inoperable.

Shipping: The card should be shipped in original IBM packaging (electrostatic discharge bag with desiccant and thermally insulated box with gel packs).

Temp                                         -34°C to +60°C

Pressure                                   min 550 mbar (maximum altitude 16 000 feet)

Humidity                                   5% to 100% RH

Storage: The card should be stored in electrostatic discharge bag with desiccant.

Temp                                          +1°C to +60°C

Humidity                                     5% to 80% RH

Pressure                                     min 700 mbar (maximum altitude 10 000 feet)

Operation: (ambient in system)

Temp                                         +5°C to +35°C

Humidity                                    8% to 85% RH

Pressure / altitude (max)       min 700 mbar (maximum altitude 10 000 feet)

Airflow (minimum)                 300 LFM (air velocity over the secure module)