Getting started with pervasive disk encryption

Pervasive disk encryption forms the foundation for pervasive encryption as introduced with IBM® z14™ (z14). With z14 hardware, you can protect data-at-rest against unauthorized access while balancing the constraints of implementation complexity, cost, and system performance.

This publication describes the steps for setting up encrypted data volumes. This setup ensures that the keys used to encrypt the data cannot be stolen and used for offline attacks.

With this setup, you first generate secure keys with IBM cryptographic coprocessors. Then you efficiently use protected keys converted from the secure keys to encrypt and decrypt data transparently to applications. The protected key cryptography is supported by the CP Assist for Cryptographic Functions (CPACF). Applications do not require any changes to use the encrypted volumes.