Linux on IBM zSystems and LinuxONE - Group home

Security and Cloud-Native Applications - IBM Z Crypto Express meets Red Hat OpenShift

By Adam Jollans posted Wed February 02, 2022 04:57 AM


IBM Z and LinuxONE are renowned for the advanced security they provide, and are used by financial, government and other organizations across the world.

Encryption is provided at a hardware level in two main ways – using the on-chip CPACF crypto accelerator, and through the IBM Crypto Express adapter. The Crypto Express adapter itself provides two main capabilities – fast asymmetric (public/private key) encryption for data-in-motion, and tamper-resistant protection of keys through Hardware Security Modules. Together, these can help protect the vital assets of organizations in their datacenters – from e-commerce to government to banks and fintechs.

Meanwhile, businesses have been moving workloads to the cloud, and cloud-enabling existing workloads. Today, organizations are using containers and Kubernetes to build, deploy, and orchestrate cloud-native applications across their hybrid clouds.

Red Hat OpenShift provides an enterprise-ready PaaS for fast development and flexible deployment of cloud-native applications, and is available across the IT infrastructure including both public clouds and on-prem systems such as IBM Z and LinuxONE. But until recently, these applications were not able to take advantage of the advanced security capabilities of IBM Z provided by the Crypto Express adapter.

In December 2021, IBM released the Kubernetes device plug-in for IBM Crypto Express (CEX) adapters, which enables containerized applications to take advantage of both the hardware asymmetric encryption and the HSM key protection.  The plug-in is available from the Red Hat catalog as a supported and certified container image, as well as in a community version from

The IBM Crypto Express adapter can define up to 85 virtualized HSMs, which can be accessed by their adjunct processor queue number (APQN). Containers can then request cryptographic resources using APQNs, which can also be configured to be shared across multiple containers. The device plug-in also supports hot plug and unplug of CEX resources to or from the cluster.

The Kubernetes device plug-in for IBM Crypto Express adapters can be found on the Red Hat catalog at, and documentation can be found at

To learn more, listen to the replay of the webinar “IBM Crypto Express meets Red Hat OpenShift Container Platform on IBM Z and LinuxONE “ available at

With the availability of the Kubernetes plug-in for IBM Crypto Express adapters, cloud-native applications running on Red Hat OpenShift are able to offer even more security for data on IBM Z and LinuxONE.