Symmetric encryption on z/OS is highly optimized. CPACF accelerates AES and hashing with near-zero CPU cost, and zEDC compresses efficiently. However, asymmetric operations (RSA/ECC key generation, signing, public-key encryption) remain CPU-intensive and are often the dominant contributor to PGP processing cost — especially when encrypting for multiple partners.

Many organizations originally deployed Crypto Express cards primarily to support OpenPGP workloads.

The current cost profile includes:

• Hardware and maintenance
• Power, cooling, cabling
• Software priced per MSU

For organizations with 2–6 Crypto Express cards dedicated to PGP workloads, this represents a substantial annual expense.

Hystorically, hybrid solutions were built using:

• REXX scripts
• Unix shell scripts
• SSH wrappers
• Bespoke conversation utilities

These solutions require specialized expertise that is increasingly scarce. Error handling and audibility vary widely, and maintenance burdens increase as partner key counts grow.

Financial institutions and government agencies are beginning to mandate:

• ML-KEM (Kyber)
• ML-DSA (Dilithium)
• SLH-DSA (Sphincs+)

Supporting these algorithms in a cost-effective way on z/OS requires an execution model that can scale flexibly without increasing MSU load.

Hybrid OpenPGP seperates control from execution:

• z/OS remains the system of record: JCL, RACF/ACF2/Top Secret security, SMF/RMF audit, dataset governance, and central policy enforcement remain on the mainframe.
• Encryption runs on the most cost-effective platform:
  • z/OS USS with IBM-ported GnuPG
  • z/Linux on IFLs
  • External Linux x86
  • Windows or macOS endpoints
• Keys and workflows stay under z/OS governance. GnuPG keyrings and polcies remain centrally managed.

Result:
Mainframe organizations gain the flexibility of distributed cryptography with the governance and stability of z/OS.

GnuPG (GPG) remains the global reference implementation of OpenPGP and presents several advantages for mainframe environments.

GnuPG eliminates the predominant cost driver of many legacy PGP products.

The current 2.4x and 2.6x branches recieve fast updates and support modern algorithms such as:

• Curve25519 / Ed25519
• AES-256-GCM
• SHA-3
• PQC algorithms included in NIST's 2024 selections

The same keyrings and command-line syntax operate unchanged across:

• z/OS USS
• z/Linux
• x86 Linux
• Windows
• macOS

The "write once, use anywhere" model reduces operational variance and simplifies validation.

While GnuPG itself is not a FIPS module, several underlying cryptographic components (e.g., libgcrypt within RHEL, Ubuntu Pro, and SUSE) are validated within FIPS 140-2 or 140-3 certified module. On z/OS USS, asymmetric operations can leverage ICSF/System SSL, while symmetric operations use CPACF.

Connect/Hybrid provides a z/OS-native integration layer that orchestrates hybrid PGP execution without requiring scripting or network staging.

Connect/Hybrid runs within the z/OS address space and accesses:

• Sequential datasets
• PDS/PDSE
• GDGs
• zFS/HFS files
• STDIN/STDOUT/STDERR streams

This avoids temporary files, manual transfers, and custom BPXBATCH logic.

From standard JCL, Connect/Hybrid can:

• Invoke remote commands on z/Linux, x86 Linux, Windows, or macOS
• Stream data securely via the FIT protocol
• Apply inline encryption and compression
• Return exit codes and stdout/stderr to the batch job

Administrators do not need shell scripting or SSH expertise. All hybrid behavior is configured declaratively.

• z/OS side: SMF records (e.g., Types 30/119)
• Distributed side: syslog/journald logging
• Key management: centralized GnuPG keyrings

This approach ensures that cryptographic execution outside z/OS never results in plain text leaving the trust boundary.

Hybrid PGP can run across multiple platforms with the same JCL. The choice of topology depends on cost, latency, and operational constraints.

• Uses IBM-ported GnuPG
• Lowest-latency option
• Leverages CPACF and zIIP eligibility
• Requires no distributed infrastructure

Best for:
Low-complexity deployments and organizations optimizing for stability rather than maximum cost reduction.

• Moves CPU cost to IFLs (typically lower cost per unit of compute)
• Uses HiperSockets for high-speed transfer
• Full support for FIPS-aligned crypto modules

Best for:
Organizations seeking the strongest balance of cost savings and low latency.

• Extremely cost-effecient compute
• Supports container-based scaling for peak loads

Best for:
Enterprises with variable throughput or cloud adoption initiatives.

• Useful where partner teams, internal applications, or operational tools run natively on these platforms
• No licensing costs for GnuPG

Best for:
Mixed-platform envrionments and departmental deployments.

Across 2024–2025 deployments, organizations adopting hybrid PGP generally report three primary savings categories:

Many enterprises are able to decommission 2-6 cards previously used for PGP batch processing.

Offloading asymmetric cryptography to distributed platforms typically lowers overall MSU usage significantly, sometimes yielding seven-figure annual reductions depending on batch volumes and partner key counts.

Benefits include:

• Less reliance on scarce scripting skills
• Lower maintenance of custom pipelines
• Consistent onboarding of new partners through configuration rather than code

Most organizations adopting hybrid PGP achieve a full return on investment within 4-12 months, based on the combination of MSU savings, lower hardware requirements, and reduced operational complexity.

Hybrid execution does not change the z/OS security posture. Keys, datasets, and policies remain controlled by the mainframe.

• End-to-end encrypted pipelines
• No plaintext written to remote systems
• Mutual authentication of endpoints

SMF and syslog/journald provide full traceability across platforms.

GnuPG versions aligned with current NIST PQC selections give organizations early access to:

• ML-KEM (Kyber)
• ML-DSA (Dilithium)
• SLH-DSA (Sphincs+)

These algorithms can be enabled via policy changes without modifying JCL scripts.

As regulatory, operational, and cost pressures rise, organizations need a more efficient and scalable approach to OpenPGP on z/OS. Hybrid execution provides a measurable reduction in MSU consumption, decreases or eliminates Crypto Express dependency, and improves operational resilience — all while retaining the governance and stability of traditional JCL-driven batch operations.

Connect/Hybrid offers a practical, low-risk model for implementing hybrid OpenPGP:

• Connect/Hybrid integrates into existing batch workflows - No redesign of job structures, scheduling logic, or dataset flows is required.
• No custom scripting
• Centralized key and policy governance
• Consistent behavior across z/OS USS, z/Linux, z86, Windows, and macOS
• Pathway to post-quantum readiness

For organizations seeking a cost-efficient, audit-ready, and future-proof approach to z/OS OpenPGP, hybrid execution provides one of the highest-impact modernization opportunities available today.

For more information about Connect/Hybrid and z/OS Hybrid PGP, contact Data 21:

• Email: salesteam@data21.com
• Phone: +1 (310) 870-7221
• Website: www.data21.com