Skip to main content

How Does EKMF Simplify Pervasive Encryption?

IBM Systems Lab Services Security Consultant William C. (Craig) Johnston explains how EKMF simplifies pervasive encryption.

Green tile with "Ask the Expert" written in white.

Q: How does EKMF simplify pervasive encryption?

The IBM Enterprise Key Management Foundation (EKMF) is a flexible and highly secure key management system for the enterprise. It provides centralized key management on IBM Z* and distributed platforms for streamlined, efficient and secure key and certificate management operations. 

Pervasive Encryption-Dataset Encryption (PE-DSE) on z/OS* provides simple policy controls that allow clients to protect data in mission-critical databases including Db2*, IMS* and VSAM. Additionally, z/OS data set encryption gives clients the ability to eliminate storage administrators from the compliance scope.

PE-DSE uses the Integrated Cryptographic Services Facility (ICSF) and the CP Assist for Cryptographic Functions (CPACF) to encrypt and decrypt the contents of data sets and files on z/OS in a manner that’s transparent to end users. The encryption operations use cryptographic keys stored in ICSF. EKMF creates and distributes these keys to z/OS.

While it’s possible to create the required 256-bit AES keys using ICSF, that method will only create the keys in the local ICSF CKDS key store. PE-DSE may consume a large number of AES keys from ICSF. 

Manually generating and subsequently managing these keys opens the processes to a variety of issues, including human error and mismatched cryptographic master keys, which would cause the operations to fail.

EKMF is a centralized key creation and distribution system that generates keys on a secure work station and distributes the keys to multiple ICSF instances across the enterprise. EKMF securely stores the keys in Db2. This database is used as a live key repository. Although the keys cannot be used directly from Db2, it allows for their removal and redeployment to any of the ICSF key stores as needed from the EKMF work station.

When they are allocated, data sets are assigned keys. The assigned key doesn’t change for that specific data set. Therefore, the keys must be available at all z/OS systems that may access that data set. With EKMF, those encryption keys can be pushed to different z/OS images that share DASD and may not share ICSF key data sets. The underlying master key used by the cryptographic hardware can be different for each z/OS LPAR as well.

EKMF generates keys using a predefined or user-defined key template. The templates define the key type and the key label conventions to be used. It’s possible with EKMF to generate a large number of keys with the same attributes and related labels and send them to multiple z/OS images with just a few clicks. 

If you need a centrally located encryption key creation and distribution manager, EKMF fits that bill.

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →