Hi Team, a prospect customer is asking: Is GKLM in compliance with PCI standards, especially the Key Block requirement? https://docs-prv.pcisecuritystandards.org/PIN/Supporting%20Document/PIN_Security_Rqmt_18-3_Key_Blocks_2022_v1.1.pdf
Does the solution have Remote Key Loading? Any clue? Thanks in advance.

------------------------------
David Vicenteño Sanchez
------------------------------

I don't believe this is applicable to the key serving use cases that GKLM (nee SKLM) is used for. The FAQ for Key Blocks includes this text:
"must be used for all PIN security-relevant symmetric keys exchanged or stored under another symmetric key - for example, Zone Master Keys (ZMKs), .......... and PIN-Encryption Keys (PEKs)".

GKLM is typically used to serve keys used for various types of platform encryption. Examples include self encrypting storage hardware (flash/disk/tape), platform encryption for database servers, platform encryption for ESXi virtual machines, and for virtual storage such as Spectrum Scale (nee GPFS). The keys served by GKLM are not used to authenticate or identify individual users. The example of self-encrypting storage is instructional: the storage hardware itself performs all encryption and decryption of data at wire speed, using the key served from GKLM. From outside that storage device, it appears as if the data on that storage device is not encrypted. The main benefit is to ensure that if flash/disk is retired or returned for maintenance, or if a tape is lost in transit, no one outside your organization will ever be able to read it. So there is no concept of individual user authentication using these keys.

------------------------------
Carl Hovi
IBM
------------------------------

Original Message:
Sent: Mon January 09, 2023 11:52 AM
From: David Vicenteño Sanchez
Subject: GKLM in compliance with PCI standards, Key Block requirement

Hi Team, a prospect customer is asking: Is GKLM in compliance with PCI standards, especially the Key Block requirement? https://docs-prv.pcisecuritystandards.org/PIN/Supporting%20Document/PIN_Security_Rqmt_18-3_Key_Blocks_2022_v1.1.pdf
Does the solution have Remote Key Loading? Any clue? Thanks in advance.

------------------------------
David Vicenteño Sanchez
------------------------------

Got it, Thank you very much Carl.

------------------------------
David Vicenteño Sanchez
------------------------------

Original Message:
Sent: Fri January 20, 2023 09:03 AM
From: Carl Hovi
Subject: GKLM in compliance with PCI standards, Key Block requirement

I don't believe this is applicable to the key serving use cases that GKLM (nee SKLM) is used for. The FAQ for Key Blocks includes this text:
"must be used for all PIN security-relevant symmetric keys exchanged or stored under another symmetric key - for example, Zone Master Keys (ZMKs), .......... and PIN-Encryption Keys (PEKs)".

GKLM is typically used to serve keys used for various types of platform encryption. Examples include self encrypting storage hardware (flash/disk/tape), platform encryption for database servers, platform encryption for ESXi virtual machines, and for virtual storage such as Spectrum Scale (nee GPFS). The keys served by GKLM are not used to authenticate or identify individual users. The example of self-encrypting storage is instructional: the storage hardware itself performs all encryption and decryption of data at wire speed, using the key served from GKLM. From outside that storage device, it appears as if the data on that storage device is not encrypted. The main benefit is to ensure that if flash/disk is retired or returned for maintenance, or if a tape is lost in transit, no one outside your organization will ever be able to read it. So there is no concept of individual user authentication using these keys.

------------------------------
Carl Hovi
IBM

Original Message:
Sent: Mon January 09, 2023 11:52 AM
From: David Vicenteño Sanchez
Subject: GKLM in compliance with PCI standards, Key Block requirement

Hi Team, a prospect customer is asking: Is GKLM in compliance with PCI standards, especially the Key Block requirement? https://docs-prv.pcisecuritystandards.org/PIN/Supporting%20Document/PIN_Security_Rqmt_18-3_Key_Blocks_2022_v1.1.pdf
Does the solution have Remote Key Loading? Any clue? Thanks in advance.

------------------------------
David Vicenteño Sanchez
------------------------------