Data at rest encryption with protected key

Video1: Concept video – Chinese version

Concept

You might have heard IBM talking about “pervasive encryption”. In this post we take a look at what’s behind this. With every encryption scheme there is the problem of access to the keys. Normal Linux encryption stores the key in clear in kernel memory. From a security perspective this is already way better that no encryption. Now someone first needs to hack your Linux to steal your key before he can then copy the data and decrypt it.

System Z and also some other systems offer the possibility to store keys in a tamper proof Hardware Security Module (HSM). Then for  every read and write operation the data needs to be piped through this card. This makes this approach slow and therefore not really feasible with the exception

System Z offers a unique feature called protected key. This is right now the best combination of security and performance available. Finally Linux on Z is able to exploit this so that everyone can secure their data on disk better from attacks. The concept video above shows how this works.

Video2: how to set up disk encryption with protected keys

Setup / Implementation

The video above guides you through creating the encrypted volumes. There is also an in depth description in the IBM Knowledge Center or here as pdf. Besides the security increase you also get better usability – you don’t have to enter a passphrase every time your Linux boots as the real key is stored safely in the tamper proof card.

For best performance make sure you use the 4k block size for encryption and on z14 and later systems the XTS cipher. With that acceleration the encryption of data is fast enough to be used nearly everywhere.

So now is no excuse – neither from security nor from performance point of view not to encrypt. This is why IBM references to this as “pervasive encryption”.

Further Reading

(updated 10/08/2019)

Leave a Comment

Your email address will not be published. Required fields are marked *