You are here: Luna SA Introduction

Introduction and Physical Features

The SafeNet Luna SA is an Ethernet-attached HSM (Hardware Security Module) Server designed to protect critical cryptographic keys and to accelerate sensitive cryptographic operations across a wide range of security applications. Luna SA includes many features that increase security, connectivity, and ease-of-administration in dedicated and shared security applications.

Luna SA comes in one of two model families, according to the level of authentication and access control. Your Luna SA was factory configured to operate as either:

The standard appliance is the 1U-high, rackmount, RoHS-compliant [ Reduction of Hazardous Substances ] device:





which replaces the Luna SA 4.x device.




Here are some of the important physical features of the Luna SA appliance.

First, the front (this illustration shows the appliance with its decorative bezel removed)...

Item Description
a LCD system status screen - shows IP info and scrolls through system status messages
b Serial (console) port - local connection for initial setup, and for admin account reset (local-only action for security reasons)
c Ventilation-fan filter cover - removable bracket allows cleaning of air filter
d Fan filter cover retaining screw - a captive thumb-screw (no tool needed) ( "Power Supply and Fan Maintenance" )
e Mounts for removable front bezel - the decorative/protective front bezel mounts on the appliance front panel. Spring clips behind the bezel engage the mounting posts at the left and right ends of the appliance front panel.
f Rack-mount tabs (removable) - use these on the front, and the sliding tabs toward the rear to support your Luna appliance in a compatible equipment rack
g Securing screw for fan bay - Torx screw secures the fan bay; opening to swap fan modules triggers a tamper event on the appliance
h USB port - use to connect Luna Remote Backup HSM (for backup of your HSM partition contents), Luna G5 HSM, or Luna DOCK 2 (for PKI and for migration of cryptographic material from older backup token HSMs); same as USB port on back panel
i PED port - attach Luna PED 2, Pin Entry Device, reads the hardware (iKey) authentication devices for Trusted Path (FIPS 140 level 3) access control


Then, the back...

Item Description
a Kensington Security Slot - attach an industry-standard locking cable for additional physical security
b Ethernet ports - for network connection of your Luna appliance
c Decommissioning button - recessed for safety; renders HSM contents unusable ( "HSM "Emergency Decommission" Button" )
d Power supply release tab - press tab to release the catch, and slide the power supply out
e Removable power supply - one of two redundant power supplies ( "Power Supply and Fan Maintenance" )
f 2nd removable power supply - the other of two redundant power supplies
g Start/stop switch - use to stop the system if the command-line shutdown is not available; use to restart the system if it has been switched off
h USB ports - use to connect Luna Remote Backup HSM (for backup of your HSM partition contents), Luna G5 HSM, or Luna DOCK 2 (for PKI and for migration of cryptographic material from older backup token HSMs); same as USB port on front panel
i, j Unused ports - these ports are not used for Luna SA; we recommend that you do not remove the covers that were installed at the factory  


At any given time, a FIPS-validated version is available [except for newly introduced products that have not had time to go through the year-long evaluation and validation process ], and a newer not-yet-validated version might also be available. The usual practice is to ship units pre-loaded with the firmware and software at the FIPS-validated level, by default, while providing the option to update the Client software, Appliance software, and Appliance firmware to the newer version. This allows customers who need FIPS validation to have that configuration from the factory, and customers who need newer features (and do not need FIPS validation) to upgrade by simply installing the newer software and following the upgrade procedure.

To check the progress of HSM versions that are submitted for FIPS 140-2 validation visit the NIST site at:
( ).

Similarly, some versions of product are submitted for Common Criteria EAL evaluation ( "Common Criteria" ).

You can also check SafeNet Sales or SafeNet Customer Support to inquire about certification status of SafeNet HSM products. If FIPS validation or CC EAL certification are not requirements for you, then the newest version is normally the preferred option.

System Functional Overview

SafeNet HSM Cryptographic Engine

The SafeNet HSM's integrated SafeNet-Luna Cryptographic Engine is used to perform cryptographic operations and provide secure storage for sensitive cryptographic keys.

The SafeNet-Luna Cryptographic Engine enables the Luna SA functionality by providing:

The SafeNet-Luna Cryptographic Engine can also be used in conjunction with the optional Trusted Path Authentication feature to provide FIPS 140-2 Level 3 validated HSM operation. That option is factory-configured and not subject to change in the field.

HSM Appliance

HSMs, in general, are designed to provide dedicated cryptographic functionality, including key generation, key storage, and digital signing, on a one-to-one basis to their host applications. For example, a database server using an HSM would require one HSM, while a secure website using SSL on the same network would require a second, separate HSM. As the number of secure applications requiring an HSM grows, so does the number of ordinary HSMs deployed.

Luna SA bypasses this limitation by implementing multiple virtual HSMs, or HSM Partitions on a single HSM server. Partitions are accessed via a Network Trust Link ( "Prepare the Client for Network Trust Link" ).

The following block diagram is a conceptual overview of the Luna SA HSM Server depicting internal systems, communications, and interaction with application servers.  


There are 7 major elements to the Luna SA operations. Some of these elements are optional configuration items, and might not be present in your system:

  1. "Clients"
  2. "Prepare the Client for Network Trust Link"   
  3. "About Trusted Path Authentication" (optional)
  4. SafeNet K6 HSM Cryptographic Engine  (described above)
  5. "HSM Partitions"
  6. "Secure Command Line Interface (lunash)"
  7. "Backup & Restore Overview " (optional)

(* The Secure Backup HSM, and Luna PED (Trusted Path Authentication and Access Control) are options that might not be included with your system.)


Historical Note

The product name "Luna" was taken from the name of the Luna moth, to conform with the originating company name "Chrysalis-ITS". The company name was derived from the hidden or secret existence of the moth as it developed within its cocoon, or the chrysalis. This was evocative of the hidden world of cryptography. Other moth names were considered for additional product lines, but the "Luna" brand very quickly achieved marketplace recognition and efforts were aligned under that brand.

After years of growing success with the Luna brand in the crypto markets, Chrysalis-ITS was acquired by SafeNet. Because the brand was well recognized and respected in the HSM marketplace, SafeNet maintained it.

Our SNMP MIB is still called CHRYSALIS.


Get Acquainted and Get Started


From the Table of Contents, choose one of the guides for specific help on:


  • preparing your installed Luna SA to integrate with your network and to function with your Client applications


  • creating and assigning Partitions (virtual HSMs),
  • creating/modifying Users,
  • maintaining the HSM and the network configuration,  
  • Backing up and restoring HSM/partition contents
  • creating and maintaining HA groups and load balancing,
  • logging,
  • Luna HSM concepts
  • etc.


  • special instructions to integrate your Luna SA for optimum use with popular and industry-standard applications


  • command syntax and descriptions,
  • error codes,
  • time zone codes


In no particular order, here are some other familiarization pages that might be of use before you begin configuring your Luna SA:

- "How to Use This Help"

- "What should I do first?"

- "Luna Do and Don't Suggestions"

- "Notes about using Luna shell (lunash)"



What should I do first?

Installing the Luna Software

Windows Install

HP-UX Install

Linux Install

Solaris Install

Solaris on SPARC - Performance Note