Pervasive encryption is a consumable approach to enable extensive encryption of data in-flight and at-rest to substantially simplify encryption and reduce costs associated with protecting data and achieving compliance mandates.
IBM Z® is designed to provide pervasive encryption capabilities to help you protect data efficiently in the digital enterprise.
Already started your journey to pervasive encryption?
Data set encryption is provided by z/OS® V2R3 or later through the base
Introduction to z/OS data set encryption
Data set encryption enables encryption through the
Considerations and guidelines for use of encrypted data sets.
Steps for setting up the environment and creating encrypted data sets.
Unified Key Orchestrator for IBM z/OS (UKO for z/OS) provides centralized key management for IBM z/OS data set encryption on IBM Z servers.
The use of AES Cipher keys, supported with z/OS Pervasive Encryption, provides additional attributes that are bound to the key itself such as export controls and supports stronger key wrapping when used in conjunction with UKO for z/OS.
IBM recommends using Cipher Keys for Pervasive Encryption whenever there is a need for keys to remain controlled under equivalently high security, even during key management operations like transfer between systems. For example, as is required by the Payment Card Industry Hardware Security Module Requirements (PCI HSM V1.0 #B2)
Requirements
The minimum system requirements for using AES Cipher keys for z/OS Pervasive Encryption are z14 with CEX6 and ICSF HCR77C1.
All production, development, test, QA, and disaster recovery systems accessing z/OS data sets encrypted with AES Cipher keys must meet the minimum system requirements.
Coupling facility encryption is provided by z/OS V2R3 or later releases. Coupling facility resource management (CFRM) policy statements are used to enable encryption on a structure-by-structure basis.
Ensure system security, Integrated Cryptographic Service Facility (ICSF) configuration, and cryptographic hardware requirements are met.
Consider impacts to dump data sets with coupling facility structure data and cryptographic key management.
Identifying where and how network traffic is protected is labor-intensive. z/OS Encryption Readiness Technology (zERT) eases network discovery by monitoring and recording details about your z/OS cryptographic network protection.
Things you should know about zERT
Requirements
- z/OS V2R3 or later releases
- IBM Connect:Direct users must ensure Connect:Direct APAR PI77316 is applied
- IBM zERT Network Analyzer requires
Db2 for z/OS (Db2 11 or later releases)
zERT Capabilities
Discovers the network encryption attributes for each
Summarizes the repetitive use of security sessions over time. Retains the key details about the network encryption attributes.
Greatly reduces the number of
A web-based graphical user interface to analyze and report on data reported in zERT summary records.
- What does zERT manage and collect? Discovery | Aggregation
- How does zERT summarize and provide the information? Discovery | Aggregation
zERT-enabled cryptographic protocol providers
- z/OS System SSL (including z/OS AT-TLS)
- z/OS V2R3 OpenSSH
- z/OS
IPSec support
Discovery
Aggregation
zERT Network Analyzer
Videos
Pervasive Encryption for Data Volumes
Setting up Data Volumes for Pervasive Encryption - In less than ten minutes
Publications
Linux on IBM Z and LinuxONE: Pervasive Encryption for Data Volumes
Linux on IBM Z and LinuxONE: How to set an AES Masterkey
IBM Redbook: Getting Started with Linux on IBM Z Encryption for Data At-Rest
Linux is well equipped for encrypting all data in-flight using protocols like
Exploiting the excellent cryptographic performance of the IBM z15™ (all models), IBM LinuxONE Emperor II and LinuxONE Rockhopper II, Linux users can afford to pervasively encrypt their network traffic in a transparent manner using OpenSSL, OpenSSH, and IPSec.
All data volumes assigned to guest operating systems can use pervasive encryption. This applies to:
z/VM Guest Coupling Simulation Support is the software that simulates the hardware and software required to run an MVS sysplex environment as second level guests under z/VM." direction="top">z/VM guestsKVM guests*- All volumes except boot volumes
z/VM® and KVM guests apply pervasive encryption to each piece of guest data at-rest, be it read from or written to a disk.The protected-key dm-crypt technology used protects volume encryption keys from being accessed in plain text format.This protection extends to swap volumes.
Alternatively, a KVM hypervisor can encrypt data at-rest on all volumes, except boot volumes, with dm-crypt technology. Thus, its KVM guests are supplied with encrypted virtual block devices, resulting in transparent data at-rest encryption for all guests.
* Available with Red Hat Enterprise Linux 8.0 and newer distributions, IBM is working with the other Linux distribution partners to include support.
Find a comprehensive collection of content about pervasive encryption for IBM Z.
Learn how to easily manage pervasive encryption keys using an enterprise key management solution for Linux on IBM Z and LinuxONE.
Learn about managing pervasive encryption keys using an enterprise key management solution for Linux on IBM Z.
Trusted Key Entry (TKE) is a feature of IBM Z and LinuxONE that is used to configure Hardware Security Modules (HSMs) that are installed in the IBM Z or LinuxONE system. This 8-video series guides you through the process of loading CCA master keys from the TKE Workstation, from TKE Power-On to Master Key Load.
Use this visual tool to determine how many keys you should use for z/OS® data set encryption.
z/OS Encryption Readiness Technology (zERT) provides the data that you need to build a complete picture of your z/OS cryptographic network protection posture.
A very high level review of SSL/TLS, what AT-TLS is, how it works, why you would want to use it, and a snapshot of AT-TLS configuration.
Terminal Talk with Frank and Jeff features Michael Jorden of IBM Z Development discussing pervasive encryption for IBM Z. Search for “Terminal Talk” in iTunes, Google Play, or your favorite podcast app, or click the link below.
See how pervasive encryption for data volumes makes full data volume encryption fast and affordable.
Manage IBM Z host cryptographic modules.
Links to z/OS documentation were upated to use the z/OS 2.5.0 library.