Mainframe hardware has a storage protection function, which is normally used to prevent unauthorized alteration of storage. Storage protection is also used to prevent unauthorized reading of storage areas, although z/OS® protects only small areas of storage this way.

Storage protection works on 4K pages. It deals only with real memory, not virtual memory. When a page of virtual memory is copied from disk to a free page in main storage, z/OS also sets an appropriate storage protection key in that page of main storage.

Storage protection was much more significant before multiple address spaces came into use. When multiple users and jobs were in a single address space (or in real memory in the days before virtual memory), protecting a user's memory from corruption (or inappropriate data peeking) was critical. With z/OS, the primary protection for each user's memory is the isolation provided by multiple address spaces.

Storage protection keys cannot be altered by application programs. There is no way, using the storage protection function, for a normal application program (not an authorized program) to protect part of its virtual memory from other parts of the application in the same address space.

An additional storage protection bit (for each 4K page of real memory) is the page protection bit. This prevents even system routines (running in key 0, which can normally store anywhere) from storing in the page. This bit is typically used to protect LPA pages from accidental damage by system routines.