Marcy,
with in one CEC you cannot share an APQN (a specific domain in a
specific adapter) in two active LPARs or guests (regradless) of the
location of the two guests.
Is 680 guest too few? How much would you like to have?
As for letting the hypervisor do the disk encryption, this is easily
possible for KVM today.
What kind of disks are you using in you z/VM guests dedicated disks
(DASD or SCSI?) or mini disks?
-Reinhard
On 18.01.20 23:15, Marcy Cortes wrote:
I was talking about the CCA rpm package needed on Linux
Sent with BlackBerry Work
(www.blackberry.com)
From: Alan Altmark <[email protected]<mailto:[email protected]>>
Date: Saturday, Jan 18, 2020, 2:01 AM
To: [email protected]
<[email protected]<mailto:[email protected]>>
Subject: Re: [LINUX-390] Pervasive disk encryption questions
To be clear, a CCA is a crypto in Coprocessor mode. It is the only mode
that allows Linux or z/OS to load master keys without TKE, so keeping it
out of the picture isn’t going to work if you want to use ICSF to load
keys.
A (crypto, domain) pair can be online to only one LPAR at a time, but in
any case you cannot relocate a guest with APDED domains.
Regards,
Alan Altmark
IBM
On Jan 17, 2020, at 8:00 PM, Marcy Cortes <[email protected]>
wrote:
One more question I have and its probably more VM orientated.
Say we decide z/OS ICSF loads all the master keys for us (keeping CCA out
of the pic) . Can a guest on VM1 use the same card/domain as a guest on
VM2 in another lpar provided they user the same MK? Trying to figure out
HW requirements for fitting this into a GDPS 4 site where a guest can be
instantiated in lots of places (8 different lpars currently).
And those in the same cluster I'd still like to be able to LGR them.
PS. Has IBM considered that maybe this data at rest encryption is better
handled at the VM layer? Current HW basically limits you to 760 guests
using it on z15 if you give 2 devices to each guest for redundancy, right?
(85 * 16 = 1360 / 2 ).
Marcy
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
https://urldefense.proofpoint.com/v2/url?u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=XX3LPhXj6Fv4hkzdpbonTd1gcy88ea-vqLQGEWWoD4M&m=YJ0apmefTqTIb9A_tsjLg_jZLBDQ7z30plCLJhj2AdA&s=jgDJvvKIlIt8nomhJ9ERSkPwWQVqjmaoeffEhIhwMSM&e=
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
