This is a cache of https://developer.ibm.com/tutorials/configure-hpvs-onpremises-redhat/. It is a snapshot of the page as it appeared on 2025-11-14T13:04:27.764+0000.
Build a confidential computing environment on-premises with Red Hat - IBM Developer
IBM Developer

Tutorial

Build a confidential computing environment on-premises with Red Hat

Learn how to set up Hyper Protect Container Runtime on IBM LinuxONE to securely run sensitive workloads

By

Sandeep Batta,

Peter Szmrecsanyi,

Sowmya Parvathi

On this page

Hyper Protect Services uses IBM Secure Execution for Linux (SEL) to create a Confidential Computing enclave where sensitive workloads run with assurance that the entire compute lifecycle is protected. Protecting data-at-rest and data-in-motion is common, but protecting data-in-use must also be a key part of a data protection strategy.

A Confidential Computing enclave is similar to a Secure Compartmented Information Facility (SCIF), often used in national security to handle top-secret documents or discussions. The principle is simple: what happens in a SCIF stays in a SCIF.

HPVS-SCIF

This tutorial adds guidance to the official documentation on Setting up Hyper Protect Container Runtime, so that you do not need to switch between multiple sources.

Prerequisites

  • Access to a Red Hat Enterprise Linux (RHEL) logical parition (LPAR) on LinuxONE with sudo access. Secure Execution must be enabled with Feature Code 115.
  • Access to IBM Passport Advantage with entitlement to download the HPCR Bundle. For instructions, see Downloadng HPCR image.
  • Access to a container image of the workload to run within the Hyper Protect Confidential Container Runtime, such as Vault.

Note: For hardware requirements, see HPCR system requirements.

Step 1. Confirm that Secure Execution is enabled

  1. Log in to the Red Hat Enterprise Linux (RHEL) logical parition (LPAR) and run:

    virt-host-validate

  2. If you see a WARNING for Secure Execution, run:

    cp /etc/zipl.conf /etc/zipl.conf.orig
 echo "prot_virt=1" >> /etc/zipl.conf
 zipl -V
 reboot

  3. Now run virt-host-validate again. You should see:

    QEMU: Checking for secure guest support                                    : PASS

Step 2. Prepare the environment

  1. Install the required packages.

    dnf install genisoimage curl ca-certificates
 dnf install net-tools podman rsyslog-gnutls guestfs-tools
 dnf install libvirt libvirt-daemon libvirt-daemon-driver-qemu libvirt-daemon-config-network libvirt-daemon-kvm
 dnf install expect qemu-kvm qemu-img
 dnf install virt-install virt-win-reg
 dnf install -y postgresql-server postgresql
 dnf upgrade -y
 dnf upgrade NetworkManager

  2. Create directories and files.

    mkdir -p /opt/hpcr-files
 mkdir -p /var/lib/libvirt/images/hpcr
 mkdir -p /var/lib/libvirt/storage
 mkdir -p /var/lib/libvirt/overlay

  3. Configure a SYSLOG server to receive secure logs from Hyper Protect Virtual Server guests. For more information, see Logging for IBM Hyper Protect Virtual Servers: Syslog.

Step 3. Download the Hyper Protect Virtual Server bundle

  1. Log in to IBM Passport Advantage.
  2. Go to My Programs and select IBM Hyper Protect Virtual Servers.
  3. Download the latest version. For example, IBM_HPVS_OnPrem_v2.2.2_EN.tar.gz.

  4. Upload the file to the LinuxONE RHEL LPAR:

    scp </path/to/IBM_HPCR_RHVS_v1.1_EN.tar.gz> <userid>@<linuxone-rhel-lpar>:/opt/hpcr-files

Step 4. Extract the Hyper Protect Virtual Server image file

Log in to the LinuxONE RHEL LPAR and run the following command:

cd /opt/hpcr-files
gunzip IBM_HPCR_RHVS_v1.1_EN.tar.gz
tar -xvf IBM_HPCR_RHVS_v1.1_EN.tar
tar -xvzf M0SK4EN.tar.gz
cp images/ibm-hyper-protect-container-runtime-rhvs-1.1.0.qcow2 /var/lib/libvirt/images/hpcr

Note: File names can differ depending on the Hyper Protect Virtual Server version.

Step 5. Create the contract parts

  1. Create the /var/lib/libvirt/images/hpcr/meta-data file with the following content:

    local-hostname: myhost

  2. Create /var/lib/libvirt/images/hpcr/vendor-data with the following content:

    #cloud-config
 users:
 - default

  3. Copy the sample environment file (hpvs-sample-env.yaml) to /var/lib/libvirt/images/hpcr/env.yaml.

  4. Edit env.yaml and update these entries:

    • ${HOSTNAME}: hostname or IP of the SYSLOG server (change the port if needed).
    • ${CA}: YAML scalar value of the CA certificate (for example: server: "-----BEGIN CERTIFICATE-----\nMIIFCTCCAvEC...").
    • ${CLIENT_CERTIFICATE}: YAML scalar value of the client certificate.
    • ${CLIENT_PRIVATE_KEY}: YAML scalar value of the client private key (PKCS8).

  5. Copy the sample Vault workload file (hpvs-sample-vault-workload.yaml) to /var/lib/libvirt/images/hpcr/workload.yaml.

  6. Edit workload.yaml and update the following entries:

    • <us.icr.io/path-to-vault-image>: path to your Vault container image in IBM Container Registry.
    • <base64-vault-conf.hcl>: base64-encoded Vault config file.
    • <license-key>: your license key.

    • <us-icr-apikey>: your IBM Cloud API key.

      Notes:

    • The sample workload.yaml assumes that the Vault image is in IBM Container Registry. An api-key is needed to access images in this registry.

    • For instructions on creating a Vault container image, see the Deploying Vault in a Confidential Computing Environment tutorial on IBM Developer.

Step 6. Encrypt the contract file

  1. Export environment variables:

    export WORKLOAD=/var/lib/libvirt/images/hpcr/workload.yaml
 export ENV=/var/lib/libvirt/images/hpcr/env.yaml
 export CONTRACT_KEY=/opt/hpcs-files/config/certs/ibm-hyper-protect-container-runtime-25.4.0-encrypt.crt
 export PASSWORD="$(openssl rand 32 | base64 -w0)"
 export ENCRYPTED_PASSWORD="$(echo -n "$PASSWORD" | base64 -d | openssl rsautl -encrypt -inkey $CONTRACT_KEY -certin | base64 -w0 )"

  2. Encrypt workload.yaml by using the generated password:

    export ENCRYPTED_WORKLOAD="$(echo -n "$PASSWORD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "$WORKLOAD" | base64 -w0)"

  3. Encrypt env.yaml with the generated password:

    export ENCRYPTED_ENV="$(echo -n "$PASSWORD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "$ENV" | base64 -w0)"

  4. Create the user-data.yaml file:

    echo "hyper-protect-basic.${ENCRYPTED_PASSWORD}.${ENCRYPTED_ENV}" > /var/lib/libvirt/images/hpcr/user-data.yaml
 echo "hyper-protect-basic.${ENCRYPTED_PASSWORD}.${ENCRYPTED_WORKLOAD}" >> /var/lib/libvirt/images/hpcr/user-data.yaml

Step 7. Generate ISO-init-disk

genisoimage -output /var/lib/libvirt/images/ciiso.iso -volid cidata -joliet -rock user-data meta-data vendor-data

Step 8. Create the data disk

  1. Copy hpvs-sample-pool.xml to /opt/hpcr-files/pool.xml and run:

    virsh pool-define pool.xml
 virsh pool-build storagedirpool
 virsh pool-start storagedirpool
 virsh vol-create-as storagedirpool datavolume 10G

  2. Copy hpvs-sample-kvm-hpcr.xml to /opt/hpcr-files/hpcr.xml.

Step 9. Create the network

  1. Copy hpvs-sample-network.xml to /opt/hpcr-files/network.xml.

  2. Edit network.xml and update the network details for your environment.

Step 10. Start HPCR

Run the following commands to start the Hyper Protect Container Runtime (HPCR) confidential computing environment:

virsh define hpcr.xml
virsh start hpcr --console

Conclusion and next steps

You have successfully set up Hyper Protect Container Runtime (HPCR) on IBM Z LinuxONE. The next step is to deploy critical workloads to enable data-in-use protection. The following article, tutorial, and demo video can help you get started.


04 September 2025

Legend