Front cover Getting Started with Linux on Z Encryption for Data At-Rest Bill White Megan Hampton Benedikt Klotz Pat Oughton Guilherme Nogueira Carlos Henrique Reimer Redbooks IBM Redbooks Getting Started with Linux on Z Encryption for Data At-Rest April 2019 SG24-8436-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (April 2019) This edition applies to the required and optional hardware and software components needed for Linux on IBM Z encryption for data at-rest. © Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . xi Comments welcome. xi Stay connected to IBM Redbooks . xi Chapter 1. Protecting sensitive data . 1 1.1 Why protect your data beyond compliance . 2 1.2 IBM Z pervasive encryption. 3 1.2.1 Linux on Z data at-rest encryption . 3 1.2.2 Separation of duties . 5 1.2.3 Managing the pervasive encryption environment . 6 1.3 Understanding Linux on Z data at-rest encryption . 6 1.3.1 IBM Z cryptographic system . 7 1.4 How Linux on Z data at-rest encryption works . 9 1.4.1 Creating a secure key . 10 1.4.2 Opening an LUKS2 formatted volume . 10 Chapter 2. Identifying components and release levels . 13 2.1 Starting a Linux on Z data at-rest encryption implementation. 14 2.1.1 IBM Z platform: Optimized for Linux on Z data at-rest encryption. 15 2.2 Required and optional hardware features . 15 2.2.1 Central Processor Assist for Cryptographic Function . 15 2.2.2 Crypto Express adapters . 16 2.2.3 Trusted Key Entry workstation . 17 2.3 Required and optional software features . 18 2.3.1 Required software components for dm-crypt with a plain format setup . 18 2.3.2 Required software components for dm-crypt with an LUKS2 format setup . 18 2.3.3 Optional software components . 18 2.4 Cost and performance. 19 Chapter 3. Planning for Linux on Z data at-rest encryption . 21 3.1 Creating an implementation plan . 22 3.2 Know where your sensitive data is stored. 23 3.3 Encryption considerations . 23 3.3.1 How many secure keys do I need?. 23 3.3.2 Should I use a known key? . 24 3.3.3 Which cipher mode should be used? . 24 3.3.4 Should I use keyfiles or passphrases? . 24 3.3.5 Should I consider root partition encryption? . 24 3.4 Considerations for separation of duties. 25 3.4.1 Security administrator role . 25 3.4.2 Cryptographic administrator role. 25 3.4.3 System administrator role . 26 3.4.4 Storage administrator role. 26 3.5 Policy considerations . 26 © Copyright IBM Corp. 2019. All rights reserved. iii 3.5.1 Securing the root account . 27 3.5.2 Enable auditing . 28 3.5.3 UNIX file permissions and POSIX access control lists . 28 3.5.4 Mandatory access control systems. 28 3.6 Key management considerations . 29 3.6.1 Understanding key management . 29 3.6.2 Reviewing industry regulations . 29 3.6.3 Determining key security. 29 3.6.4 Choosing key-part owners . 30 3.6.5 Key lifecycle . 30 3.6.6 Defining key rotation . 31 3.6.7 Establishing cryptoperiods . 32 3.6.8 Establishing a process for handling compromised operational keys. 32 3.6.9 Establishing a process for handling compromised master keys . 33 3.6.10 Choosing key management tools . 33 3.6.11 Backing up keys . 35 3.6.12 Planning for disaster recovery. 36 3.7 z/VM considerations . 36 3.7.1 Policy considerations . 36 3.7.2 Virtual disks. 37 3.7.3 System configuration file. 37 3.7.4 z/VM SSI cluster considerations . 38 3.8 Performance considerations . 38 3.9 Disk and logical volume considerations . 41 3.9.1 Using logical volumes . 41 3.9.2 Which volumes should be encrypted? . 43 3.9.3 Volume format considerations. 43 3.10 Data compression considerations . 44 3.11 General considerations . 44 3.11.1 Defining a maintenance policy . 44 3.11.2 Linux Health Checker considerations . 45 3.11.3 Backing out of Linux on Z data at-rest encryption. 45 Chapter 4. Preparing for Linux on Z data at-rest encryption . ..