Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Service Guides

Luna Cloud HSM for DKE Guide

search

Luna Cloud HSM for DKE Guide

Luna Cloud HSM for Double Key Encryption (DKE) is a unique Luna Cloud HSM Service offering that provides access to a Luna Cloud HSM Service partition and the Luna Key Broker for Microsoft DKE service software. Use the service software to create a Microsoft DKE endpoint by running the included container and connecting the Luna Cloud HSM for secure storage of DKE cryptographic keys.

The Thales Luna Cloud HSM Service and DKE for Office 365 enables organizations to protect their most sensitive data while maintaining full control of their encryption keys. The solution uses two keys to protect data. One key is in the customer's control in a FIPS 140-2 Level 3 validated Luna HSM and a second key is stored securely in Microsoft Azure. Both keys are required to access protected data, ensuring that Microsoft and other third parties never have access to the protected data on their own. This enhanced data protection capability enables organizations to benefit from the full power of Microsoft 365 collaboration and productivity tools while protecting sensitive data and meeting data privacy regulations and requirements.

The Luna Cloud HSM for DKE service provides access to the following:

Provision a Luna Cloud HSM for DKE service

  1. Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.

  2. Open the Services tab and select the Add Service heading. Navigate the marketplace categories and click Create Service on the service that you would like to provision. If you have not Purchased a Service Subscription or previously completed a trial for the service, the option will display as Try Service.

  3. The Add Service wizard displays. Review the Terms of Service and click Next.

  4. On the Configure Service page, enter the required criteria for the service and click Next.

  5. Review your configuration summary page, and if you are satisfied click Finish. If you would like to adjust the service configuration click Go Back.

Download the Luna DKE service software and integration guide

Download the Luna DKE service software and integration guide from your DPoD tenant service page.

  1. Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.

  2. Navigate to the View Services tab (My Services tab for application owners) and click on the Luna Key Broker for Microsoft DKE service name.

  3. Click Download Luna DKE Service Software.

    The browser begins the download of the Luna DKE service software .zip.

  4. Click Integration Guide in the banner to download the Luna Key Broker for Microsoft DKE Integration Guide.

Download the Luna Cloud HSM Service client

Download a client using your DPoD tenant. For information about adding a Luna Cloud HSM Service to an existing client see Adding a Luna Cloud HSM Service in the Luna Client Guides.

Note

The client downloaded from the Luna Cloud HSM Service is a minimal client package. It does not contain Luna Universal Client utilities such as the Luna Software Development Kit (SDK), or pscp. To use these tools with the Luna Cloud HSM Service you must complete the Luna HSM Client Software Installation and configure the client to communicate with the Luna Cloud HSM service as describe in Adding a Luna Cloud HSM Service.

  1. Access the Service Page and click the service or the partition name that you would like to generate a client for.

  2. Click Create Client, if this is your first client, or click New Client. The Create Client window displays.

  3. In the Create Client window, enter a Client Name (Example: Luna-Cloud-HSM-Client_1) and select Create Client.

    A new client (in this case Luna-Cloud-HSM-Client_1_client.zip) generates and is provided for downloading and installing on your client machine.

    Note

    The client is a zip file that contains system information needed to connect your client machine to an HSM partition. See the section client Contents for client content details.

Unpack the Luna Cloud HSM Service client

Complete the following procedures to unpack the client .zip for your operating system.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Using the Windows GUI or an unzip tool, unzip the file - Service_Windows-Client_1_client.zip.

  3. Decompress the cvclient-min.zip.

    Note

    Extract the cvclient-min.zip within the directory you created in the previous step. Do not extract to a new cvclient-min.zip directory. This location is required for the setenv command in step 7.

    The lunacm command will only be able to run from root of client directory if setenv is not executed.

  4. Set the environment variable. Open an Administrator Command Prompt - right click Command Prompt and select Run as Administrator. Execute the following in the Administrator Command Prompt:

    
.\setenv.cmd

    The command returns:

    
Generated <path_to_service_client>\crystoki.ini

Linux operating systems support installing multiple clients on a single host system. See the section Installing multiple clients on Linux.

  1. Transfer the client to your machine. You can use SCP, PSCP, WinSCP, FTPS or other secure transfer tool to transfer the client.

  2. Unzip the client.

    
unzip Service_Linux-Client_1_client.zip

    Note

    The Linux client contains the legacy Windows client materials. If you do not require the legacy Windows client, you can delete the cvclient-min.zip.

  3. Untar the cvclient-min file.

    
tar xvf cvclient-min.tar

    Note

    Extract the cvclient-min.tar within the directory you created in the previous step. Do not extract to a new cvclient-min.tar directory. This location is required for the setenv command in step 7.

    The lunacm command will only be able to run from root of client directory if setenv is not executed.

  4. Set the environment variable.

    
source ./setenv

Initialize the Luna Cloud HSM Service partition

Initialize the partition and required Service Client Roles to begin using the Luna Cloud HSM Service. For more information about client configuration parameters see client Configuration Requirements.

To launch lunacm with logging enabled see Logging.

  1. Start LunaCM. From the directory where you unzipped the cvclient-min.zip file.

    Execute

    
lunacm


    
./bin/64/lunacm

  2. If the command executes with no errors, your connection is working correctly.

    Tip

    If you are unable to connect to the Luna Cloud HSM Service see Client Network Connectivity and Client Troubleshooting for more information about resolving client connection issues.

    
    lunacm (64-bit) v10.4.0-417. Copyright (c) 2021 SafeNet. All rights reserved.
            Available HSMs:
            Slot Id ->              3
            Label ->
            Serial Number ->        1285336687861
            Model ->                Cryptovisor7
            Firmware Version ->     7.3.0
            CV Firmware Version ->  1.4.2
            Plugin Version ->       Cloud 2.1.0-554
            Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
            Slot Description ->     Net Token Slot
            FM HW Status ->         FM Not Supported
            Current Slot Id: 3
    lunacm:>

  3. Set the active slot to the uninitialized Luna Cloud HSM Service partition. You can verify the slot number by executing slot list in LunaCM.

    
slot set -slot <slotnum>

  4. Initialize the Luna Cloud HSM Service partition. Execute the following and complete the wizard to create the partition security officer (po), and set the initial password and cloning domain. 

    
partition init -label <par_label>

  5. Log in as partition SO (po).

    
role login -name partition so

  6. Initialize the crypto officer (co) and set the initial password.

    
role init -name crypto officer

  7. Log out of the partition security officer role and log in as the crypto officer.

    
role logout
role login -n crypto officer

    Caution

    On their first log in, the crypto officer (co) must change the credential password set by the partition so (po).

  8. Update the crypto officer password.

    
role changepw -n crypto officer

    Applications can now use the crypto officer credentials to perform cryptographic operations using keys and objects created in the partition.

Integrate with Double Key Encryption for Microsoft 365

To integrate your service with Double Key Encryption for Microsoft 365 follow the instructions in the Luna Key Broker for Microsoft DKE Integration Guide.

The Luna Cloud HSM for DKE service supports deploying the solution as a container service. When implementing the solution follow the instructions under Deploy Luna Key Broker service with Luna HSM as keystore > Method 2: Deploy Luna Key Broker service as a container service in the Luna Key Broker for Microsoft DKE Integration Guide to complete the integration.

For more information on obtaining the Luna Key Broker for Microsoft DKE Integration Guide through your DPoD tenant see Download the Luna DKE service software and integration guide.

On this page