Linux on IBM Z (zSystems, mainframe): Encrypting swap disks with protected keys (original) (raw)
Within the infrastructure for protected volume encryption, you can generate random protected AES keys without requiring a cryptographic coprocessor. Use these keys for encrypting swap disks, or for other use cases, where keys may be ephemeral.
You can generate volatile protected keys from random data without requiring a cryptographic coprocessor in two ways:
- A program or tool can read from one of the binary read-only sysfsattributes which are located in the /sys/devices/virtual/misc/pkey/protkeydirectory. Each time such an attribute is read, a new random AES protected-key token of the corresponding format is returned. Refer to the applicable Device Drivers, Features, and Commands for information about available key token formats.
- You can issue ioctl calls on the misc character device/dev/pkey to generate and handle protected keys, for example, PKEY_GENPROTKEY. Refer to the applicable Device Drivers, Features, and Commands for more information about available ioctl calls.
During the generation process, the underlying effective key is never exposed in clear in memory. Thepaes_s390 kernel module can use these protected keys in the same way as a protected key derived from a secure key.
This feature is mainly useful for encrypting swap disks, or for any other use cases where the keys may be ephemeral, that means, that their life time does not extend over different boot cycles or machine migrations.
Important: The protected key is volatile and cannot be recreated if lost, for example during a reboot. Do not use protected keys that are generated from random data to encrypt persistent data. Use such a protected key only to protect transient data. Especially, KVM guest migration, z/VM®live guest relocation in a single system image (SSI), or suspend or resume actions are not supported with such randomly generated protected keys.
If you set up your environment as described in Setting up an encrypted swap disk, a volatile random protected key is automatically generated to be used for swap disks.