You might have heard IBM talking about “pervasive encryption”. In this post we take a look at what’s behind this. With every encryption scheme there is the problem of access to the keys. Normal Linux encryption stores the key in clear in kernel memory. From a security perspective this is already way better that no encryption. Now someone first needs to hack your Linux to steal your key before he can then copy the data and decrypt it.
System Z and also some other systems offer the possibility to store keys in a tamper proof Hardware Security Module (HSM). Then for every read and write operation the data needs to be piped through this card. This makes this approach slow and therefore not really feasible with the exception
System Z offers a unique feature called protected key. This is right now the best combination of security and performance available. Finally Linux on Z is able to exploit this so that everyone can secure their data on disk better from attacks. The concept video above shows how this works.
Setup / Implementation
The video above guides you through creating the encrypted volumes. There is also an in depth description in the IBM Knowledge Center or here as pdf. Besides the security increase you also get better usability – you don’t have to enter a passphrase every time your Linux boots as the real key is stored safely in the tamper proof card.
For best performance make sure you use the 4k block size for encryption and on z14 and later systems the XTS cipher. With that acceleration the encryption of data is fast enough to be used nearly everywhere.
So now is no excuse – neither from security nor from performance point of view not to encrypt. This is why IBM references to this as “pervasive encryption”.
- Pervasive Encryption: A Guide to Protecting your Data-At-Rest Using dm-crypt With Protected Keys (in depth presentation)
- Linux Security and Performance (performance details)
- Pervasive Encryption for Data Volumes (IBM documentation)
- IBM Redbook “Getting Started with Linux on Z Encryption for Data At-Rest” (pdf)
- Live Virtual class: End-to-end Encryption of Data at Rest for Linux on IBM Z and LinuxONE (pdf, recording)
- Live Virtual class: Pervasive Encryption with Linux on IBM Z: from a performance perspective (pdf, recording)
- Chinese version of concept video