IBM PCIe Cryptographic Coprocessor


Battery replacement kits and multi-battery packs are now available for ordering as part numbers.

To order the battery-replacement kit, or the multi-battery pack, customers in:


The IBM PCIe Cryptographic Coprocessor provides a high-security, high-throughput cryptographic subsystem. The IBM 4765 Cryptographic Security Module validated to FIPS 140-2, Overall Level 4 (highest level of security). See FIPS certification number 1505 (link resides outside of The 4765 Cryptographic Coprocessor is a tamper responding, programmable, cryptographic PCIe card, containing CPU, encryption hardware, RAM, persistent memory, hardware random number generator, time of day clock, infrastructure firmware, and software. Specialized hardware performs AES, DES, TDES, RSA, SHA-1, SHA-224 to SHA-512, and other cryptographic processes, relieving the main processor from these tasks. The coprocessor design protects your cryptographic keys and sensitive custom applications. The software running in the coprocessor can be customized to meet special requirements.

The IBM PCIe Cryptographic Coprocessor has a PCIe local-bus-compatible interface. The coprocessor holds a secured subsystem module, batteries for backup power and a full-speed USB 2.0 host port available through a mini-A connector. The securely encapsulated subsystem contains two 32-bit PowerPC 405D5 RISC processors running in lock-step with cross-checking to detect malfunctions as well as a separate service processor used to manage self-test and firmware updates, RAM, flash memory, and battery-powered memory, cryptographic-quality random number generator, AES, DES, TDES, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and modular-exponentiation (for example, RSA, DSA) hardware, and full-duplex DMA communications. A secure code-loading arrangement enables control program and application program loading and refreshes after coprocessor installation in your server. IBM offers a Linux-based subsystem control program and a cryptographic application programming interface (API) which implements the IBM Common Cryptographic Architecture (CCA).

The IBM PCIe Cryptographic Coprocessor is supported in the following IBM server families:

Further details on specific supported environments are provided elsewhere on this Web site or on the Web sites for the individual IBM server families.

Note that system software on some IBM servers provides higher-level interfaces to the cryptographic functions in the IBM PCIe Cryptographic Coprocessor. For example, some systems may offer Java interfaces which make use of the coprocessor.

News for current customers


Important security notice for System x and System p Users.

New product release for IBM 4765 now available on IBM ServerProven System x servers, effective April 2014, and IBM Power Systems (IBM AIX only), effective May 2014. This release includes support for new financial services verbs for the German Banking Industry Committee (including rejecting a weak PIN), new AES key types, new verbs including Diversified Key Generate2, Recover PIN from Offset, Authentication Parameter Generate, Symmetric Key Export with Data, and Log Query, enhancements to several existing verbs, and a new more secure fixed-length token format for variable-length symmetric key tokens. Beginning with Release 4.4.20, a new financial services verb for the German Banking Industry Committee called DK Migrate PIN is added. Users of the PKA Key Translate (CSNDPKT) verb must migrate to Release 4.4.20 or later to resolve a key-token format issue when using keyword EMVCRT, EMVDDAT, or EMVDDAE.

New release of drivers to support the IBM 4765 on 64 bit platforms is now available. The new release of 'Extended OS' support now includes support for Windows 2012 release 2 (64bit) at the latest CCA level.

The IBM CCA cryptographic coprocessors have never used the Dual_EC_DBRG method, and thus customers using these coprocessors are not exposed to any weakness that might be in that algorithm.

IBM PureFlex™ customers can purchase an IBM 4765 as an add-on feature as of September 10, 2013.
See CCA Release 4.3.5 for more information.

New product release CCA 4.3.8 for IBM 4765 now available on IBM AIX operating system effective June 2013. See Library page for additional information.

As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.

Effective February 2013, a host code fix is available for users of Release 4.3.5 who get the error "The key-storage file is not usable" (return code 8, reason code 752)

New CCA support program release now available for
Linux on IBM System z

effective April 2012.
This release adds
CCA release 4.2
support for the IBM
CEX3C PCIe Cryptographic Coprocessor.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.

Support for optional Smart Card hardware is available. See Smart Card User Guide (11/2013, PDF, 2.19MB) for more information.

IBM 4765 Cryptographic Security Module validated to FIPS 140-2, Overall Level 4 (highest level of security). See FIPS certification number 1505 (link resides outside of