Enterprise Knights of IBM Z - Group home

Trusted Key Entry (TKE) Wizards

By Sneha Kanaujia posted Tue April 13, 2021 02:24 PM

Have you ever wondered what the Trusted Key Entry (TKE) product is or what the fastest way is to learn about it? If so, read on. But before you can talk about Trusted Key Entry, you have to understand the basics of Hardware Security Modules (HSMs) on IBM Z and LinuxONE servers.

IBM sells FIPS-evaluated Hardware Security Modules, or HSMs. You may know them as the Crypto Express cards or modules. They are installed in IBM Z and LinuxONE servers. Each HSM has up to 85 domains. Each domain has a set of master keys and settings that control what services or capabilities may be used by applications. HSMs are mission critical when running applications or various offerings on IBM Z and LinuxONE servers.

IBM Z and LinuxONE cryptographic environments tend to be large and global. In addition to the number of domains on each HSM, IBM Z and LinuxONE servers can have up to 60 HSMs. A typically enterprise has many servers which are geographically dispersed. It is common for clients to use hundreds of domains across their entire cryptographic environment.

Finally, many clients are required to manage HSMs using compliant-level management mechanisms. Many times, this means the master keys must be broken into parts, the master key parts must be stored in protected storage and never be exported in the clear, and all HSM administrative settings must be managed using dual control.
TKE Wizard

With this background, now we can talk about the Trusted Key Entry product.

Trusted Key Entry, or TKE, is the product IBM uses to provide compliant-level HSM management mechanisms for HSMs on IBM Z and LinuxONE servers. If you don't need the compliant-level mechanisms, the TKE still has profound value because it provides streamlined processes for managing large complex cryptographic environments. For example, if you have dozens of crypto domains with the same settings, TKE allows you to group them and configure them in one pass through the HSM management process.

But what is the easiest way to learn about the TKE? Go to the IBM Media Center and watch the videos in this playlist:


This video series has been created to help you understand how to use the TKE to manage Common Cryptographic Architecture (CCA) mode HSMs on your IBM Z and LinuxONE servers. There is a short video that describes the topic covered by each of the videos in the series.

I hope you find this video playlist helpful!

Brought to you by your trusted TKE Wizard, Garry Sullivan.