To be clear, a CCA is a crypto in Coprocessor mode. It is the only mode that allows Linux or z/OS to load master keys without TKE, so keeping it out of the picture isn’t going to work if you want to use ICSF to load keys.
A (crypto, domain) pair can be online to only one LPAR at a time, but in any case you cannot relocate a guest with APDED domains. Regards, Alan Altmark IBM > On Jan 17, 2020, at 8:00 PM, Marcy Cortes <marcy.d.cor...@wellsfargo.com> wrote: > > > One more question I have and its probably more VM orientated. > > Say we decide z/OS ICSF loads all the master keys for us (keeping CCA out of the pic) . Can a guest on VM1 use the same card/domain as a guest on VM2 in another lpar provided they user the same MK? Trying to figure out HW requirements for fitting this into a GDPS 4 site where a guest can be instantiated in lots of places (8 different lpars currently). > > And those in the same cluster I'd still like to be able to LGR them. > > PS. Has IBM considered that maybe this data at rest encryption is better handled at the VM layer? Current HW basically limits you to 760 guests using it on z15 if you give 2 devices to each guest for redundancy, right? (85 * 16 = 1360 / 2 ). > > Marcy > > > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=XX3LPhXj6Fv4hkzdpbonTd1gcy88ea-vqLQGEWWoD4M&m=YJ0apmefTqTIb9A_tsjLg_jZLBDQ7z30plCLJhj2AdA&s=jgDJvvKIlIt8nomhJ9ERSkPwWQVqjmaoeffEhIhwMSM&e= > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390