Front cover Security and Linux on IBM Z Lydia Parziale Klaus Egeler Manoj S. Pattabhiraman Redpaper International Technical Support Organization Security and Linux on IBM Z December 2017 REDP-5464-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (December 2017) This edition applies to the IBM Z platform, Red Hat Enterprise Linux Servers v7.4, and z/VM v6.4. This document was created or updated on January 8, 2018. © Copyright International Business Machines Corporation 2017. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii Authors. vii Now you can become a published author, too! . vii Comments welcome. viii Stay connected to IBM Redbooks . viii Chapter 1. Why security and encryption. 1 1.1 Why security matters. 2 1.2 Why use encryption. 2 1.3 Pervasive encryption with the IBM z14 . 3 1.3.1 CP Assist for Cryptographic Function . 4 1.3.2 Crypto Express6S . 5 1.4 Benefits of Hardware Crypto . 6 1.5 Verification of installed LIC 3863 using the SE . 7 Chapter 2. Data security and Linux on IBM Z. 9 2.1 Data security . 10 2.1.1 Encryption . 10 2.2 Pervasive encryption. 11 2.3 LinuxONE and IBM Z Cryptographic Hardware features . 12 2.3.1 CP Assist for Cryptographic Function . 13 2.3.2 Crypto Express6S . 13 2.4 Overview of enabling cryptographic adapters . 14 2.4.1 Hardware configuration: Setting up an LPAR to use Crypto. 14 2.4.2 Configuring Cryptographic adapters in z/VM . 15 2.4.3 Setting up Cryptographic adapter for use from Linux on IBM Z . 15 2.5 Verification of installed LIC 3863 using the SE . 15 2.6 The hardware and software test environment. 16 2.7 Cryptographic software support: z/VM . 17 2.7.1 Defining Cryptographic feature in z/VM . 17 2.7.2 Configuring Cryptographic feature in z/VM . 18 2.7.3 Hardware cryptography exploitation in Linux on IBM Z. 20 Chapter 3. Pervasive encryption: Data-at- rest encryption . 29 3.1 Introduction . 30 3.2 LinuxONE Hardware-accelerated in-kernel cryptography. 30 3.2.1 Verification of support for Hardware Cryptographic operation . 30 3.2.2 The dm-crypt module . 31 3.3 Data-at-Rest using dm-crypt LUKS encryption . 33 3.3.1 Setting up cryptsetup . 34 3.3.2 Creating a LUKS partition . 35 3.3.3 Test for demonstrating encryption performance with hardware optimization . 38 Chapter 4. Pervasive encryption: Data in flight encryption . 41 4.1 Preparing to use OpenSSL . 42 4.2 Configuring OpenSSL . 43 © Copyright IBM Corp. 2017. All rights reserved. iii 4.3 Testing Hardware Crypto functions. 45 4.3.1 Crypto Express6S card support for OpenSSL . 46 4.3.2 CPACF support for OpenSSL . 47 4.3.3 Testing the encryption using SSH. 49 Chapter 5. IBM Secure Service Container . 51 5.1 Introduction to IBM Secure Service Container . 52 5.2 IBM Secure Service Container internals . 52 5.2.1 Secure Service Container boot environment . 53 5.2.2 Boot sequence . 53 5.3 Installing and managing the appliance . 53 5.3.1 Installation and configuration . 53 5.3.2 Managing the appliance . 54 5.4 Key features of Secure Service Container . 55 Related publications . 57 IBM Redbooks . 57 Online resources . 57 Help from IBM . 57 iv Security and Linux on IBM Z Notices This information was developed for products and services offered in the US. This material might be available from IBM in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, US INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided “AS IS”, without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. © Copyright IBM Corp. 2017. All rights reserved. v Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service.