X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Increasing Data Security with SPARC M7 'Always On' Cryptography

Eric Reid
Principal Software Engineer

Oracle's new SPARC M7-based servers (released in late October) have numerous compelling hardware features, including the all new Software in Silicon feature set. What many still don't realize is that one of these features -- Hardware Assisted Cryptography -- has existed on SPARC CPUs for several generations. SPARC M7 provides the most powerful on-chip hardware encryption capabilities to date, and what many don't know is that it's Always On and it's available at No Extra Cost. It's also supported by a plethora of Oracle and third-party software offerings Right Now.

SPARC M7 provides 32 cryptographic engines per processor, delivering wide-key encryption of both 'data at rest' and 'data in-motion' with near zero performance impact. Most of today's most secure bulks encryption ciphers, message digests and public-key encryption algorithms are supported. Nothing to enable, no code to change.

SPARC M7 on-board encryption functionality (similar to that of previous-generation SPARC T5):

Accelerator Driver: Userland (no drivers required)
Public-Key Encryption: RSA, DSA, DH, ECC
Bulk Encryption: AES, DES, 3DES, R4, Camelia
Message Digest: CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
APIs: PKCS#11 Standard, UCrypto APIs, Java Cryptography Extensions, OpenSSL

What about software support? Oracle 12c already takes advantage of M7 HW Crypto via its Oracle Advanced Security Transparent Data Encryption (TDE), out of the box. WebLogic? The same - it works out of the box. This is true for both native (C/C++-based) and Java Oracle "Red Stack" applications, all of which make seamless use of the underlying hardware encryption mechanisms. 

Okay, you say, we'd expect Oracle's Database and Middleware to support Oracle hardware features -- what about the rest of us? Well, as it turns out, much of the framework software in Solaris 11 is hardwired to take advantage on SPARC HW Crypto when it's detected. Third-party software that makes use of these will usually "get HW Crypto for free". This list includes:

  • openssl (5)
  • ssh (1)
  • Solaris VM for SPARC (aka LDoms)
  • Java runtime - configured via standard JCE/JSSE security mechanisms
The Systems ISV Engineering team is currently working with a number of Solaris ISVs to insure support and optimal usage of SPARC Hardware Crypto functionality. Look for future blog posts here (and technical articles on OTN) where we will cover this topic with ISVs such as IBM and Sybase.

"The future data center is completely encrypted, and this is the first processor that enables that."

— John Fowler, Oracle Executive Vice President for Systems

You can test your applications on SPARC M7-based systems today, to explore and leverage their breakthrough technologies using the Oracle Software in Silicon Cloud for developers and partners. Available now to all OPN members, enterprise developers with MOS accounts and university researchers (members of Oracle Academy), the Software in Silicon Cloud is a robust and secure cloud platform with ready-to-run virtual machine environments and offers easy access to Oracle SPARC M7 systems running Oracle Solaris 11.3. Try it today!

Additional Reading:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.