I'll point you to the IBM Crypto performance whitepapers, available at www.ibm.com/systems/z/advantages/security/z10cryptography.html. (Look on the right under 'Learn More' for your machine type.) The numbers are very ivory tower, and your mileage will vary, however, you can use these numbers to compare clear key, secure key and protected key.
Rob: Protected key does rely on one trip to the Crpyto Express card. Since a protected key begins life as a secure key, the operational key must first be decrypted from under the master key (inside the CEX3) but then it is wrapped using the wrapping key. That operational key is then unwrapped inside the CPACF hardware. And as Phil and Rob point out, blocking can have a significnat impact on performance. That's easy to see in the white papers too since they provide results for various blocksizes. The crypto hardware (both CPACF and CEX card) is designed to handle large blocks of data and you'll get the best throughput with large blocks. So your application design Greg Boyd IBM Advanced Technical Support Supporting Crypto on System z ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN