Crypto cards also give you the ability to use "Protected keys". These are the keys used by DFSMS in encrypting data files. Protected key processing use the Crypto card to access a securely encrypted key from the ICSF CKDS and then provide high-sped access to the key using CPACF operations. Lennie
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Phil Smith III Sent: 03 October 2025 16:00 To: [email protected] Subject: Re: ZSeries Crypto Cards - Decision Table? Crypto cards are MOSTLY for improved security, so keys don't reside in the clear on the system. The exception is TLS handshake, where they can help with performance. Are you going to be doing a LOT of separate connections? If not, I'm not sure I'd worry about it for TLS--a few connections isn't a big deal. Many thousands/millions, yes. Are you going to be doing a LOT of separate encryption operations (millions/billions)? If so, then realize that each call to the CEX is an I/O. A lot of small operations will be MORE expensive than doing it in software, especially using CPACF. Are there worries about security of the keys? Regulatory requirements might mean using an HSM (which is what the CEX is) isn't optional. "at least AES256 or higher" -- AES-256 is considered quantum-safe, so if it's symmetric encryption, that should be "high" enough. Is it? If it's asymmetric, there are more questions to answer--AES isn't asymmetric, for starters. "with TLS 1.2 or higher" -- use TLSv1.3, no reason not to. "encrypt traffic across network pipe using at least AES256" -- are you planning to encrypt the data, transmit THAT wrapped with TLS, and then decrypt at the other end? If so, how will keys be shared between the systems? -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Steve Estle Sent: Friday, October 3, 2025 8:25 AM To: [email protected] Subject: ZSeries Crypto Cards - Decision Table? All, Am working with financial institution that needs to encrypt traffic across network pipe using at least AES256 or higher encryption protocol with TLS 1.2 or higher that will lead to an eventual proof of concept involving new Z replication software that will propagate / replicate change logs for CICS and DB2. They do not currently have crypto accelerator cards installed in Z processor(s). They are running ZOS 3.1. What I am looking for is a clear decision tree / matrix to determine if crypto cards are required or not - I understand they can reduce CPU overhead but beyond optimized encryption / decryption what are the gating factors that drive the need for crypto hardware cards (I know they are needed for pervasive encryption for data at rest), but less clear on when they are absolutely required for network encryption related purposes. All input / reference materials (Redbooks, Share, etc.) are appreciated. Thanks, ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
