Your KEY to success for Pervasive Encryption and ... · IBM Z Pervasive Encryption –Encrypt data automatically, immediately and ... management operations (e.g. dual control) Enforced

Your KEY to success for Pervasive Encryption and Multicloud Key Management

Isabel ArnoldIBM Denmark, CryptoCenter

November 2020Session 2AW

The safest door in the world becomes useless

If you lose your keys

Encryption made easy with IBM Z Pervasive Encryption

– Encrypt data automatically, immediately and efficiently at the time it is written

– Decouple encryption from data classification

• Reduce labor-intensive data classification work

• Reduce risks associated with incorrect classified or undiscovered sensitive data

– Achieve application transparent encryption

IBM Crypto Competency Center / © 2020 IBM Corporation 3

But where to keep your encryption keys?

Do I need a key management system?

Yes, if you want any of these:

More than 10 keys

Periodic, staggered key rotation

Avoid manual distribution

Easy overview of keys

Keystore backup and recovery of individual keys

Strong security and compliance for key management operations (e.g. dual control)

Enforced key naming conventions

Downsides of < 10 keys

Large amount of encrypted data affected if a single key is compromised

Less granular control of how to separate people from data

Difficult to stagger rotation periods for keys


You need good datasetnaming conventions!

PROD

App1

Data1

App2

Data2

AppN

DataN

PROD.APP2.LOG.VER10PROD.APP1.PAYROLL.VER7

EKMF Web for Pervasive Encryption on IBM Z

When implementing pervasive encryption it is very important that a robust key management system is in place.

IBM Enterprise Key Management Foundation (EKMF) has a proven record of meeting the key management requirements you find in large financial companies like banks and card processors.

IBM offers EKMF Web for Pervasive Encryption that helps you manage the keys involved in dataset encryption.


EKMF Web for PE features

Single central key repository

• Stores metadata (activation dates, usage, etc.)

• Single-point backup and recovery

Key Management

• Generation based on policies

• According to NIST recommendations

• Using Hardware Security Modules (HSM)

Pervasive Encryption Support

• Dataset dashboard

• Import and management of existing PE keys

• Central support for multiple z/OS systems

Security & Compliance

• Role-based access

• Dual control implemented using separation of privileges

• Audit logging


Web Browserwith EKMF Web

Hardware Security Modules

EKMF components

IBM Crypto Competency Center / © 2020 IBM Corporation

EKMFRepository

Central EKMF repository

Cloud key stores

Custom

Secu

re ro

om

EKMF Workstation

ü Can be placed in secure roomü Utilizes IBM 4767 HSMü Generate new keys by users

authenticated with smart cards or automatically based on requests

Browser-based key generation & management for ü Pervasive Encryptionü Cloud

(not in product version yet)

ü Contains keys and metadata for all cryptographic keys produced by EKMF

ü Easy backup and recovery of key material

4

FIPS140-2 Level 4

IBMCrypto Express

4 IBM 476x4

4

PCI

8

EKMF Web Architecture


z/OS

CEX4SCEX4SCryptoExpress

ICSF

EKMFagent

CKDS

Liberty

EKMFWeb

Cloud key stores

Master Catalog

EKMF datasets database

EKMF keyrepository

PE Dataset Scanner Job

Web Browser

9

EKMF Web prereqs


z/OS

CEX4SCEX4SCryptoExpress

ICSF

EKMFagent

CKDS

Liberty

EKMFWeb

Master Catalog

EKMF datasets database

EKMF keyrepository

Dataset Scanner Job

z/OS 2.3 or later with fixes

• Crypto adapter assigned to LPAR with fully initialized master key sets (AES, RSA, ECC)- TKE required

• IBM Z14 & CEX6 or later recommended to generate AES cipher keys

• IBM Z13 & CEX5 can only generate AES data keys

Configured to use variable key length tokens Required databases, tables, views must be

created in Db2 (V12 recommended)

HKMGAS0 (min. PTF level KMGS006) orHKMGAL0 (min. PTF level KMGL010)

Firefox or Chrome

Web Browser

10

Data-encrypting keys

AES CIPHER keys• Use symmetric variable-length key token • The key value is always encrypted. • Keyblocks contain attributes allowing for

detailed control of key usage and exchange options

• EKMF Web wrapping for AES Cipher keys based on AES encryption

AES DATA keys• Use symmetric fixed-length key token• Key value can be either encrypted or in the clear• Do not have associated key attributes - Export

of AES Data keys must be controlled by other means, such as RACF

• EKMF Web wrapping for AES Data keys based on RSA keys


Used to encrypt and decrypt data & can be 128-bits, 192-bits, or 256-bits in length

The use of AES Cipher keys for Pervasive Encryption is recommended for any system which supports their use.The minimum requirements for using AES Cipher keys for PE are z14 with CEX6 and ICSF HCR77C1.

EKMF Web Key Hierarchy


Master Key (AES)

Data KEK (RSA) Cipher KEK (AES)

Cipher Key (AES)Data Key (AES)

EKMF Web Recovery Key (AES)

EKMF Web for PEScreenshots DemoCreate a key to encrypt your first dataset

EKMF flow


These are the policies that define how your keys are created


IBM Z13 can only generate AES data keys.We recommend to use AES cipher keys, available from z14 with CEX6 or later.


What to do with the key


CKDS

Dataset profiles DFP DATAKEY User Access

BANKING.** BANKING.KEY.LABELREAD

READ

MORTGAGE.** MORTGAGE.KEY2.LABEL READ

BANKING.TEST

MORTGAGE.PROD

Profiles in CSFKEYS class User Access

BANKING.KEY.LABEL READ

MORTGAGE.KEY2.LABEL READ

BANKING.OLD

1. Define key profile to RACF2. Assign key to RACF dataset profile3. (Re-)allocate, existing datasets are

not encrypted (e.g. BANKING.OLD)4. User needs RACF access to

a) Keyb) Dataset

23

1 2 3 4

Setup for use of key label in RACF

Allow secure key to be used as protected keyvia ICSF segment- SYMCPACFWRAP- SYMCPACFRET

Grant access to key label

– AND –

PERMIT keylabel_nameCLASS(CSFKEYS) ID(user) ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION)))

RDEFINE CSFKEYSkeylabel_nameUACC(NONE)ICSF(SYMCPACFWRAP(YES) SYMPACFRET(YES))

Associate the key label with the desired data set(s)

In RACF, alter DFP segment in data set profile - DATAKEY()

PERMIT ‘’ ID(groupid) ACCESS(READ)

In DFSMS, assign to data class

ALTDSD ‘’UACC(NONE)DFP(RESOWNER(owner)DATAKEY(keylabel_name))

– OR –

z/OS data set encryption – Detailed description

Migrate to encrypted data

DB2:Online Reorg

IMS HA Database:Online Reorg

VSAM or Seq data set:1. Stop application2. Copy data3. Restart application

zFS Container:zfsadmin encrypt

Non-disruptive

Generate an encryption key and key label, store it in the CKDS

CKDS



If you lose your key, EKMF Web

can restore it

Already started PE? No problem, import existing keys


27

A keytemplate for these types of keys must have been defined for your keystore you’re

importing from

Check dashboard for encryption details about datasets


Encrypted dataset with key details


Encryptable data sets


Not encryptable datasets


Will be

updat

ed soo

n

Filter and show details


Multicloud Key Orchestrator

EKMF Cloud support

37

EKMF Web supports key distribution to IBM Key Protect, Amazon KMS and Azure

Supported

AWS KMS IBM CloudKey Protect

Microsoft AzureKey Vault

Google CloudKMS

FutureSupportedSupported

Web Browserwith EKMF Web

EKMF Workstation

Define cloud keystores and key templates


AWS support in EKMF Workstation


Further reading

Announcement letter ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108

EKMF Agent Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdf

EKMF Web Installation and Configuration Guide publibfp.dhe.ibm.com/epubs/pdf/c2820220.pdf

EKMF Web UI User's Guidepublibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf


http://ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS220-108http://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820240.pdfhttp://publibfp.dhe.ibm.com/epubs/pdf/c2820230.pdf

EKMF Web for PEVirtual WorkshopParticipants who attend this Virtual Workshop will learn about key management, Key management considerations, EKMF web Architecture and dataset encryption.Agenda:• 9:00 AM Overview Pervasive Encryption, Key

Management and EKMF Web• 10:15 AM TKE Demo• 10:30 AM Hands on Lab EKMF web and dataset

encryption• 12:30 PM Key Management considerations and

wrap up

Virtual Class requires students to connect to Webexand have access to internet via browser to connect to virtual desktop.

Contact [email protected] Crypto Competency Center / © 2020 IBM Corporation 44


Service Offerings• Cryptography-as-a-Service• Crypto Agility and Quantum readiness• Crypto APIs for payment processing industry• Enterprise key management solutions

• Pervasive Encryption key management• Multi-cloud key management

• Advanced XML signing solutions

Consulting & Implementation Services• Specialists in PCI compliant crypto solutions • Cross-industry experience

Encryption PKI - Digital Signatures& Certificates

Crypto APIs Enterprise Key Management

Policy Compliance

IBM Crypto Competence Center Copenhagen• 100+ clients, mainly in Financial Services

• 13 out of the 25 largest Banks in Europe• 25 years experience

Securing the world, one bit at a time

Crypto Analytics Tool

Please submit your session feedback!

Do it online at http://conferences.gse.org.uk/2020/feedback/2AW

This session is 2AW - Your KEY to success for Pervasive Encryption and Multicloud Key Management

http://conferences.gse.org.uk/2020/feedback/2AW

GSE UK Conference 2020 Charity

The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.

Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:

http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion

http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion


Thank you

© Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and ibm.com are trademarks of IBM Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available at Copyright and trademark information.

https://www.ibm.com/legal/copytrade

Documents

Your KEY to success for Pervasive Encryption and ... · IBM Z Pervasive Encryption –Encrypt data automatically, immediately and ... management operations (e.g. dual control) Enforced