About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
Deploy IBM Vault on Linux on Z and LinuxONE using confidential computing techniques
Protect secrets and PII being handled in memory
On this page
As escalating cyberthreats continue to be top-of-mind with CIOs and CTOs worldwide, there is growing focus on the protection of data-in-use, in addition to traditional data-at-rest and data-in-transit, by security experts and regulators (including, for example, DORA, EBA, MAS, NCSC, CISA, and NSA). CIOs, CTOs, and developers are challenged to meet the demands of ever-more-complex security and regulatory landscapes while accelerating business agility, adopting AI, and keeping IT costs in check.
IBM LinuxONE and Linux on Z platforms, in combination with IBM Vault, can help you address these competing demands. They provide scalable, resilient, and turn-key data protection with audit-readiness to help you boost your secrets management for the enterprise.
IBM Vault
IBM Vault provides a centralized approach to secrets management across every element of the application delivery lifecycle. It also provides a highly available and secure way of storing and exposing secrets to applications and users, such as encryption keys, API tokens, and database credentials. While Vault is a market leading product in its category, the concentration of enterprise-wide secrets into one entity also makes it a target for "keys to the kingdom" types of attacks, which can put the whole enterprise at risk.
IBM has announced the availability of IBM Vault self-managed on IBM Z and LinuxONE. For more details, see this recent blog post.
Hardware Security Module on IBM Z and LinuxONE
Hardware security module (HSM) services on IBM Z and LinuxONE are built on the IBM Crypto Express Card, which is certified at FIPS 140-2 Level 4. At this level of certification, the HSM has a complete envelope of protection around the cryptographic module with the intent of detecting and responding to all unauthorized attempts at physical access.
But before the HSM services can be consumed, the cryptographic domains on the physical crypto-card must be initialized with a master key based on the Trusted Key Entry (TKE) process, which ensures the master key always stays in the HSM to provide "keep your own key" (KYOK) services. Once configured, IBM Z Encryption Services can be built on top of the HSM to provide encryption services for the entire enterprise using a custom API-stack built on top of it, or with industry standard mechanisms like Enterprise PKCS#11 or through the native EP11 over gRPC (GREP11) API calls.
Confidential computing on IBM LinuxONE and Linux on Z
Confidential computing on IBM LinuxONE and Linux on Z is designed to provide scalable isolation for workloads to help protect them from not only external attacks, but also insider threats. Data-in-use protection is achieved by using IBM Secure Execution for Linux and trusted execution environments (TEE). This protects data and the workload interacting with this data when the application is running and associated data is loaded into the server’s memory.
For more information on how to build a technically-assured confidential computing enclave to protect containerized Linux workloads from bad actors, check Hyper Protect Virtual Server.
Advantages of deploying IBM Vault on Linux on Z and LinuxONE
Vault protects its secrets database in storage with a vault master key. The Vault-Master-Key can also be protected with a key encryption key (KEK) obtained from HSM with both auto-unseal and seal wrapping functions available from IBM Vault.
Vault's security depends heavily on how well protected the server it runs on is, as outlined in our Production Hardening guidelines. If an attacker gets high-level access and is able to capture a memory dump, they could potentially see sensitive information that Vault is currently using in its memory.
Hyper Protect Virtual Server creates a confidential computing enclave that provides data-in-use protection for containerized workloads. This capability ensures that workloads cannot be inspected by a bad actor with the ability to do a memory dump, as shown below:
In addition to memory protection, Hyper Protect Virtual Servers also makes sure the containerized workload itself is built around an immutable contract, which can be encrypted to maintain confidentiality. The contract enumerates the requirements like which container images to run, the platform the workload is supposed to run on, and the verification mechanism to make sure scope-creep / injection attacks can happen.
Summary and next steps
IBM Vault protects enterprise secrets, key databases, crown jewels and intellectual property, and confidential computing on IBM Z & LinuxONE protects the Vault. The net result is better security and compliance for the entire enterprise. Get started today by deploying IBM Vault self-managed on LinuxONE. For a technical deep dive or a step-by-step tutorial, reach out to the authors, or check out more resources on IBM Developer: