What is a Crypto Express EP11 coprocessor ?

An IBM® Crypto Express adapter, which is configured with the Enterprise PKCS #11 (EP11) firmware, is called a Crypto Express EP11 coprocessor (shortly referred to as CEX*P). The Crypto Express4 adapter is the first adapter that can be configured as an EP11 coprocessor (CEX4P). You can also use CEX5Ps or CEX6Ps on the appropriate IBM Z® systems.

The CEX*P adapters provide hardware-accelerated support for crypto operations that are based on the PKCS #11 Cryptographic Token Interface Standard. Access from applications to the functions of a CEX*P adapter is enabled through the EP11 stack. This EP11 stack consists of certain EP11 user space libraries and an EP11 extension in the Linux® AP device driver. Using several layers of interfaces, the PKCS #11 standard requests are propagated to and returned from the CEX*P adapter by the device driver.

A CEX*P adapter is a hardware security module (HSM) that maintains and protects secrets (for example, master keys) such that these secrets cannot be revealed from outside the adapter: No operating system service or application can retrieve these secrets and any trial to physically break into the card destroys its data due to its tamper proof design.

A CEX*P adapter supports cryptographic operations with secure keys. A secure key is a key that is encrypted (wrapped) by a master key that is stored in the adapter. So sometimes, a master key is also referred to with the more general term wrapping key, as for example in document Enterprise PKCS#11 (EP11) Library structure.

Therefore, on the CEX*P adapter, applications can decrypt (unwrap) a secure key and use it for cryptographic operations inside the adapter. Outside the adapter (for example, inside an operating system), a secure key is only available as a binary large object (blob) wrapped by the master key, and cannot be used for cryptographic operations. To use a secure key, an application must call functions on the CEX*P adapter. It is therefore safe to keep a secure key in memory or to store it in a file system.

Cryptographic keys that are not encrypted are called clear keys. If a clear key is stored in memory or in a file, unauthorized access to that memory or file must carefully be prevented. Otherwise, the key can be stolen and used to decrypt protected information. The CEX*P adapters do not support clear key cryptography.

The maximum number of supported domains depends on the mainframe model and is the same for all Crypto Express EP11 coprocessors in that mainframe. For example, an IBM z14® (z14) supports up to 85 domains (with hexadecimal domain IDs 0000 to 0054). Each domain acts like an EP11 coprocessor, but maintains its own master key. That means, that the master key of one domain cannot be accessed by another domain. Different domains of a crypto adapter may be assigned to different LPARs or z/VM® guests, such that multiple LPARs or guests can share one Crypto Express EP11 coprocessor without sharing their master keys.