IBM Z Pervasive Encryption Everything you need to get started quickly. Get started - Play overview Transcript

Pervasive encryption is a consumable approach to enable extensive encryption of data in-flight and at-rest to substantially simplify encryption and reduce costs associated with protecting data and achieving compliance mandates.

The IBM z15™ platform is designed to provide pervasive encryption capabilities to help you protect data efficiently in the digital enterprise.

See what IBM Z Pervasive Encryption can do for your business.

Already started your journey to pervasive encryption?

Tell us about your experience
How to get started

Data set encryption is provided by z/OS® V2R3 or later through the base Data Facility Storage Management Subsystem (DFSMS) component.

Introduction to z/OS data set encryption

Data set encryption enables encryption through the DFSMS access methods.

Hardware and software requirements Application and component specific requirements for Db2®, IMS, CICS®, zFS, and more

Considerations and guidelines for use of encrypted data sets.

Planning z/OS data set encryption How many keys should you use for z/OS data set encryption?

Steps for setting up the environment and creating encrypted data sets.

Setting up z/OS data set encryption

IBM Enterprise Key Management Foundation – Web Edition V2.0 (EKMF Web) provides centralized key management for IBM z/OS data set encryption on IBM Z servers.

Learn more about EKMF Web 2.0

The use of AES Cipher keys, supported with z/OS Pervasive Encryption, provides additional attributes that are bound to the key itself such as export controls and supports stronger key wrapping when used in conjunction with EKMF.

IBM recommends using Cipher Keys for Pervasive Encryption whenever there is a need for keys to remain controlled under equivalently high security, even during key management operations like transfer between systems. For example, as is required by the Payment Card Industry Hardware Security Module Requirements (PCI HSM V1.0 #B2)


The minimum system requirements for using AES Cipher keys for z/OS Pervasive Encryption are z14 with CEX6 and ICSF HCR77C1.

All production, development, test, QA, and disaster recovery systems accessing z/OS data sets encrypted with AES Cipher keys must meet the minimum system requirements.


Coupling facility encryption is provided by z/OS V2R3 or later releases. Coupling facility resource management (CFRM) policy statements are used to enable encryption on a structure-by-structure basis.

Ensure system security, Integrated Cryptographic Service Facility (ICSF) configuration, and cryptographic hardware requirements are met.

Hardware and software requirements

Consider impacts to dump data sets with coupling facility structure data and cryptographic key management.

Planning z/OS coupling facility encryption
Setup Setting up z/OS coupling facility encryption

Identifying where and how network traffic is protected is labor-intensive. z/OS Encryption Readiness Technology (zERT) eases network discovery by monitoring and recording details about your z/OS cryptographic network protection.

Things you should know about zERT


  • z/OS V2R3 or later releases
  • IBM Connect:Direct users must ensure Connect:Direct APAR PI77316 is applied
  • IBM zERT Network Analyzer requires Db2 for z/OS (Db2 11 or later releases)

zERT Capabilities


Discovers the network encryption attributes for each TCP and Enterprise Extender connection.


Summarizes the repetitive use of security sessions over time. Retains the key details about the network encryption attributes. Greatly reduces the number of zERT SMF records in many cases.

IBM zERT Network Analyzer

A web-based graphical user interface to analyze and report on data reported in zERT summary records.

zERT concepts

zERT-enabled cryptographic protocol providers

  • z/OS System SSL (including z/OS AT-TLS)
  • z/OS V2R3 OpenSSH
  • z/OS IPSec support

zERT limitations

Linux encryption for data in-flight

Linux is well equipped for encrypting all data in-flight using protocols like TLS, IPSec, or SSH.

Exploiting the excellent cryptographic performance of the IBM z15™ (all models), IBM LinuxONE Emperor II and LinuxONE Rockhopper II, Linux users can afford to pervasively encrypt their network traffic in a transparent manner using OpenSSL, OpenSSH, and IPSec.

Linux encryption for virtualization

All data volumes assigned to guest operating systems can use pervasive encryption. This applies to:

  • z/VM Guest Coupling Simulation Support is the software that simulates the hardware and software required to run an MVS sysplex environment as second level guests under z/VM." direction="top">z/VM guests
  • KVM guests*
  • All volumes except boot volumes

z/VM® and KVM guests apply pervasive encryption to each piece of guest data at-rest, be it read from or written to a disk.The protected-key dm-crypt technology used protects volume encryption keys from being accessed in plain text format.This protection extends to swap volumes.

Alternatively, a KVM hypervisor can encrypt data at-rest on all volumes, except boot volumes, with dm-crypt technology. Thus, its KVM guests are supplied with encrypted virtual block devices, resulting in transparent data at-rest encryption for all guests.

* Available with Red Hat Enterprise Linux 8.0 and newer distributions, IBM is working with the other Linux distribution partners to include support.

Documentation IBM Z Pervasive Encryption Documentation

Find a comprehensive collection of content about pervasive encryption for IBM Z.

Get started
Technical resources IBM Redbook Getting Started with z/OS Data Set Encryption IBM Techdoc Pervasive encryption FAQs IBM Developer Enterprise Knights of IBM Z IBM Redbook z/OS V2R2 Communications Server TCP/IP Implementation IBM Redbook Reduce Risk and Improve Security on IBM Mainframes IBM Redbook Getting Started with Linux on IBM Z Encryption for Data-at-Rest IBM Support z/OS Data Set Encryption Support LinuxONE - Enterprise Key Management for Pervasive Encryption of Data Volumes

Learn how to easily manage pervasive encryption keys using an enterprise key management solution for Linux on IBM Z and LinuxONE.

New Watch the video (2:28)
IBM Z - Enterprise Key Management for Pervasive Encryption of Data Volumes

Learn about managing pervasive encryption keys using an enterprise key management solution for Linux on IBM Z.

New Watch the video (2:26)
Trusted Key Entry (TKE) Education

This video play list includes introductory information about IBM Trusted Key Entry (TKE).

Watch the video (10:47)
Trusted Key Entry (TKE) Workstation Video Series

Trusted Key Entry (TKE) is a feature of IBM Z and LinuxONE that is used to configure Hardware Security Modules (HSMs) that are installed in the IBM Z or LinuxONE system. This 8-video series guides you through the process of loading CCA master keys from the TKE Workstation, from TKE Power-On to Master Key Load.

View the playlist
IBM Enterprise Key Management Foundation (EKMF) Video

This video provides an overview and a demonstration of the IBM Enterprise Key Management Foundation (EKMF), a highly secure key management system for the enterprise.

Watch the video
IBM Enterprise Key Management Foundation - Web Edition (EKMF Web) for z/OS® Data Set Encryption Video

In this video for z/OS® Data Set Encryption users, you will be given an introduction to EKMF Web, an overview of the architecture and key roles, and a list of EKMF Web pre-requisites.

Watch the video
IBM Enterprise Key Management Foundation - Web Edition Video

This video provides a demonstration of the IBM Enterprise Key Management Foundation Web (EKMF Web) version.

Watch the video
Encrypting DB2 Tables with EKMF Web and zSecure Admin Video

This video provides an end-to-end demonstration of z/OS® data set encryption used to encrypt DB2 tables.

Watch the video
How Many Keys Infographic

Use this visual tool to determine how many keys you should use for z/OS® data set encryption.

View the infographic
z/OS Encryption Readiness Technology (zERT)

z/OS Encryption Readiness Technology (zERT) provides the data that you need to build a complete picture of your z/OS cryptographic network protection posture.

Watch the video (56:14)

A very high level review of SSL/TLS, what AT-TLS is, how it works, why you would want to use it, and a snapshot of AT-TLS configuration.

Watch the video (21:42)
Terminal Talk Podcast

Terminal Talk with Frank and Jeff features Michael Jorden of IBM Z Development discussing pervasive encryption for IBM Z. Search for “Terminal Talk” in iTunes, Google Play, or your favorite podcast app, or click the link below.

Listen to the podcast (31:42)
Linux on IBM Z and LinuxONE: Pervasive encryption for data volumes

See how pervasive encryption for data volumes makes full data volume encryption fast and affordable.

Watch the video (04:57)
Pervasive encryption in z/OS: what about my CF structures and logstreams?

This session explains and gives the details on how to encrypt Coupling Facility list and cache structures, and how to encrypt your CF logstream data.

Watch the video (57:25)
Related solutions Hyper Protect Data Controller

Protect your data as it moves throughout the enterprise and beyond.

z/OS Trusted Key Entry Workstation

Manage IBM Z host cryptographic modules.

What's new Last updated October 8, 2021

Links to z/OS documentation were upated to use the z/OS 2.5.0 library.

IBM Hyper Protect Data Controller content solution

Rate this content solution