Programming with libzpc

Edit online

This part describes important concepts that you need to know before applying the libzpc APIs in order to avoid errors.

You can use the protected key functions of libzpc for AES cryptography and elliptic curve cryptography (ECC) as follows:

AES
  • Encryption/Decryption
  • Authenticated encryption with associated data (AEAD)
  • Message authentication (MAC)
ECC
  • ECDSA signature creation and verification

When using libzpc for AES cryptography, you can either generate a secure key/protected key pair, where the protected key is derived from a persistent secure key and whose effective key can therefore be automatically re-wrapped with a new firmware wrapping key when the old one is no longer available, for example, because an LPAR has been rebooted in the meanwhile.

Or you can directly generate a protected key in the CPACF, when you only need it within the lifetime of an LPAR, for example for encrypting swap disks.
Note: However, you cannot directly generate a protected key when performing ECC key APIs. For more information, read Performing ECC cryptographic operations.

Applications include the <zpc/...> header files corresponding to the required APIs and link with -lzp. With the exception of zpc_error_string(), all libzpc functions return either no value or an integer which is either zero (in case of success), or a non-zero error code (in case of failure).