Hi!
Hopefully most of you have registered for SHARE if you are going. If you
haven't been looking at the sessions you're going to attend, now might be a
good time to start reviewing them. If you have, great! In either case,
there's a high likelihood that you're going to attend one or more of the
se
Thanks for catching this: I wanted to say
Only the CCA and EP11 types provide support for secure key crypto.
... and support to transform secure keys into protected keys.
-Reinhard
On 13.01.20 18:22, R. J. Moore wrote:
Reinhard, one correction I think:
>> When you want to use secure key cryp
Reinhard, one correction I think:
>> When you want to use secure key crypto you must define your crypto
adapter domain in the guest as dedicated adapter (APDED for z/VM guests,
for KVM guests currently only dedicated adapter domains are supported).
>> Dedicated adapter domains can be of any typ
Ingo is correct. Each domain on an adapter functions as a separate HSM.
So you have 85 times 16 HSMs on an enterprise class machine and 40 times
16 HSMs on business class machine. Each of these HSM can be configured
with a different master key. - Having as many domains as LPARs is just
coinci
Hey Marcy,
I'm not the crypto expert (Reinhard please jump in) but aren't we talking
about crypto domain dedication? I.e. not dedicating complete cards ...
don't know about z14/z15 but with z13 we supported up to 85 domains per
LPAR per single adapter like described here:
https://www.ibm.com/suppo
Hi,
with our Crypto HW we distinguish from a security dimension
- clear key crypto (keys reside in plain text in memory)
- secure key crypto (keys are wrapped by (amster) keys hidden in a
Crypto adapter aka HSM)
- protected key crypto (keys are wrapped by keys hidden in firmware not
accessible
Thanks! Was hoping you'd respond.
So essentially to do the disk encryption stuff documented here
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxdc/lxdc_linuxonz.html
one has to dedicate to the guest.
If I can put 16 cards on a z15, I'm essentially limited to 8 gue
Hi,
crypto adapter domains defined for z/VM guests with APVIRT are
restricted to perform clear key crypto operations (possibly including
random number generations). Regard less whether the backing adapters are
in accelerator mode or in CCA mode (AP-virt does not support adapters in
EP11 mode)
