Luna Cloud HSM Services provide users with access to HSM partitions.
Luna Cloud HSM service partitions are available in both FIPS and non-FIPS modes.
- FIPS mode partitions provide access to a limited set of FIPS approved cryptographic algorithms that adhere to the standards and requirements of the NIST. FIPS mode partitions use the latest FIPS 140-2 level 3 certified firmware.
- Non-FIPS mode partitions provide access to an unrestricted set of cryptographic algorithms that includes the algorithms from the FIPS list as well as additional algorithms such as elliptic curves. Non-FIPS mode partitions use the latest firmware which includes updates, bug fixes and enhancements. As a result, non-FIPS partitions may be using a firmware which is not FIPS certified.
Refer to the Mechanisms List for a list of available FIPS and non-FIPS mechanisms.
To verify if your partition is using a FIPS certified firmware access the Cryptographic Module Validation Program and search for Vendor: Thales and Module Name: SafeNet Cryptovisor K7 + Cryptographic Module. Compare the certified firmware versions with the CV firmware version that is displayed when you launch
lunacm and connect to your HSM partition.
Luna Cloud HSM Services provisioned through the Thales Data Protection on Demand platform provide access to a single partition per service. The partition is automatically generated and registered on service creation.
Users of Luna Cloud HSM Services provisioned through external (non-DPoD) marketplaces can create and manage the number of partitions defined by the Service Plan. Luna Cloud HSM Services provisioned through the DPoD tenant marketplace provide access to a single partition per service and automatically generate the partition on the HSM.
Access the service page and view HSM Partitions by clicking the service's name in the Services table of your DPoD tenant.
The service page displays. If you are directly accessing the service page for the first time you must provide your DPoD tenant hostname/URL and user credentials.
Click Create Partition.
The Create Partition wizard displays.
On the Configure Partition screen, provide a Partition Name. You can optionally enable the use of algorithms that are not FIPS compliant by selecting the Remove FIPS restrictions. check box.
You cannot alter the FIPS setting after creating the partition.
Review your configuration summary page and if acceptable, click Finish. If you would like to make changes to the configuration, click Go Back.
The DPoD server generates the partition, this may take a few moments.
Once added, the new partition is listed under HSM Partitions and you are redirected to the service page which lists the partition details and the partition clients. See the Service Page for more information about available service, partition, and partition client details. See Add and Configure Client for more information about using the partition client.