Quantum safe for AIX?
Last month (April 2025) we had an in house session given by IBM to give us more insight knowledge in how we can make our environment Quantum safe.
Thanks Andrea Longo and Marco van Gils to make this possible.
Thanks Peter van ‘t Land, Michel Splint and Remi Gillain for sharing your expertise with us!
This blog is mentioned for AIX system admins and my goal is to get discussions what we as system admins can do right now, just to be prepared, for ‘Qday’.
Why Quantum safe right now?
As most of you already know, also IBM is one of the players that developed Quantum computers and every year the number of qbits is expanding from 133 qbits last year to 156 qbits this year. And also the technology is evolving rapidly e.g. on error correction. Also IBM makes the Quantum era very accessible via their so called Qiskit services: to communicate with a real Quantum computer spread around the globe.
Quantum computers are now used for mostly scientific approaches for different branches such as financial services, high tech, energy and healthcare & life sciences.
People working with Quantum technology believe that it will take only a few years before we can use Quantum technology to decrypt any current safe encryption protocol within a few hours or even seconds, compared to a conventional binary computer.
Imagine the impact this would have for decrypting and current safe encryption methods, for example RSA, ED25519.
Therefore IBM developed with the NIST organization three Quantum safe encryption standards.
Strategy
One of the first things I learned (sounds maybe boring, but so true) is that your company should have at least a strategy for this challenge.
Further we need awareness, budget and of course time to spent on this challenge.
Common misconceptions are that “Quantum computing is not going to happen soon, so why bother”? Or “our data is safe, we do not store encryption keys in our data” and many other arguments/assumptions.
What I learned from the speakers is to first develop a strategy and create awareness.
I will not dive too much into the strategy subject now, but it sounds obvious that the strategy should touch everything in the chain, starting with hardware, the OS that runs on top of it, the communication between the systems and the data itself.
What I also learned from the speakers is that most financial institutions have already started with: a strategy and an inventory and that some already started acting on it.
So far this sort of talk about strategy, is of course very much branch dependent. But overall I’d like to emphasize that it’s good to have at least a strategy.
Possible tooling.
Of course IBM provides tools to help us with creating a Quantum safe environment some examples are:
Quantum Safe Explorer: Scan applications to discover cryptographic artifacts and vulnerabilities and create a Cryptography Bill of Materials (CBOM).
Quantum Safe Remediator: Enables quantum-safe communication across clients and servers in the network.
Guardium Quantum Safe: make it visible for an organization where they use cryptographic posture, vulnerabilities and remediation progress.”
PowerSC: (latest version) can scan your Power environment, give advice and can help to create an inventory of where which encryption is implemented and so where it needs to be replaced.
Again, also for this it’s good to have a company wide strategy on how to scan your environment and what tool or set of tools can be used.
But we as practical system administrators like to start already!
All the above is very important and I am convinced that without a complete decent roadmap this challenge is doomed to fail.
But do we as administrators have to wait until our company has everything in place before we can take action, especially knowing we have maybe only a few years left to be prepared?
Of course, sysadmins like to deliver a safe environment for our applications and environment for our core business.
What are things we can do already?
Of course, the complete infrastructure and all the components, hardware and software has to be scanned and inventoried; again a strategy is crucial.
For now I’d like to zoom in on my AIX administrator role and like to share my thoughts about what we can do for our Power Platform already.
AIX admins have the privilege that our underlying hardware, POWER 10, is already Quantum safe and also this year when POWER 11 is available: this because of
OS / LPAR / VM Isolation, in memory encryption, Hardware Isolation, Root-of-Trust & Crypto Acceleration and so on.
But what about the AIX operating system?
Of course we have PowerSC, trusted boot, TE (Trusted Execution), RBAC (role based access control), encrypted filesystems and LV’s, but is this enough?
For this the answer from IBM for Power10 is the following:
- Existing systems will receive OS and Cryptographic Libraries Quantum
Safe updates when they become available in the future.
- Early experiments and PoCs provide evidence that these systems will run
Quantum Safe algorithms efficiently.
And of course for POWER11 new announcements will be made soon:
“PNext will include significant updates to future-proof customer workloads and data, with priority on Quantum Safe firmware signing, consistent with CNSA 2.0 guidelines”
For our IBM storage systems we can rely on Storage System Encryption
(e.g., Flash Systems, tape). All data remains in storage.
For the readers who liked to read my blogs, you know that I’d like use AIX technologies such as TE (Trusted Execution) and RBAC, see also my last blog post (“Patching AIX and VIOS, the right way!”). I’d like to implement a secure and safe way to implement security patches and downloads.
In my humble opinion the only safe way to verify your downloads is to make use of the signature files provided by IBM and after implementing the patches we can now use TE to verify our just installed patches.
THANKS IBM for implementing this! Later this year also patches (efixes) will be signed by IBM and added to the TE database ‘tsd.dat’.
But what about the encryption method that is currently used by TE?
Currently the highest encryption method is SHA512, this is not bad at all, but it’s NOT Quantum safe. Personally I’d like the Elliptic Curve Cryptography such as ED25519 but even those Elliptic Curve encryption is NOT Quantum safe.
Therefore I submitted a new IBM Idea: https://ideas.ibm.com/ideas/AIX-I-806
Make it possible for TE (Trusted Execution) to make use of stronger encryption.
So please vote on this Idea if you agree with me; I think TE deserves to be made Quantum safe!
Another topic that came into mind was SSH; on almost every system that communicates via a secure way, open-ssh is used, including AIX.
The current latest version (not so long ago released) is open SSH V9….
Maybe it is possible to use this version in combination with Quantum safe encryption, but I only found examples for Linux.
What I did found was this article:
OpenSSH 10.0 Introduces Default Post-Quantum Key Exchange Algorithm - Quantum Computing Report
This depends on OpensSSH 10 which is not yet available for AIX, unless you compile it yourself.
But reading the link above sounds like a good solution:
“10.0 has been officially released, introducing a number of protocol changes and security upgrades, including a key enhancement for post-quantum security. The release makes the mlkem768x25519-sha256 algorithm the default for key agreement. This hybrid algorithm combines ML-KEM (a NIST-standardized key encapsulation mechanism) with the classical X25519 elliptic curve method, offering quantum-resistant properties while maintaining compatibility and performance.”
So please start a discussion with me if you have experience with this; I’d like to test this in my test environment.
As you noticed I like discussions on how to achieve a Quantum safe AIX environment and which ingredients are needed to achieve this. So any reactions and ideas are welcome.
#champions-blog-feed
#IBMChampion