|
Home > |
|---|
SafeNet Luna HSMs are hardware security modules designed to protect critical cryptographic keys and to accelerate sensitive cryptographic operations across a wide range of security applications. All Luna HSMs enable separation of roles by distinguishing between the HSM Security officer space (an administrative function) and the HSM Partition or User space, where client keys and objects are secured, and where client-invoked cryptographic operations take place. Luna HSMs fall into three categories:
•Luna PCI-E is a card-type HSM that installs into the PCIe slot(s) of a host computer. Multiple Luna PCI-E HSMs can coexist in one host system. Each Luna PCI-E HSM supports one HSM partition. See "About Luna PCI-E".
•Luna G5 is a desktop HSM unit that connects locally to a host computer via USB interface. Multiple Luna G5 HSMs can be linked via USB connection. Each Luna G5 HSM supports one HSM partition. See "About Luna G5".
•Luna SA is a self-contained, network attached HSM appliance, containing an HSM card similar to Luna PCI-E, and normally resides in an equipment rack in a server room (often of the "lights off", unattended variety), and is accessed remotely via secure administrative and client links. Each Luna SA HSM supports multiple HSM partitions, the number governed by purchased licenses. "About Luna SA".
An HSM is a Hardware Security Module. It has storage, cryptographic, and access-control functions that allow cryptographic operations to be performed and segregated within a secure physical hardware boundary, while offloading such functions from the general-purpose pathways of the host or client. Here are basic elements common to Luna HSMs:
Luna HSMs can contain both volatile and non-volatile data.
• Non-volatile data includes identification parameters and data objects (such as keys and certificates) that you wish to store for long-term re-use. Those objects persist on the HSM until you explicitly destroy or overwrite them.
•Volatile data is any data that should not persist when it is not in use. Volatile (or session) data disappears when the HSM loses power, or when a session closes.
Keys and objects are stored under multiple layers of encryption, and are decrypted within the physical bounds of the HSM, only into volatile/session storage, and only while being used.
Luna HSMs must be initialized before you can use them for the first time (or after an event, like too many consecutive failed login attempts on the Security Officer (SO) account, that zeroizes the HSM).
Initialization establishes several HSM parameters, including identification and authentication of HSM Security Officer (SO) and HSM Partition User who then have access to create and use HSM/Partition objects (keys, certificates, encrypted data, etc.).
Many applications from PKI and other cryptographic product vendors do not include the capability to initialize a Luna HSM, so SafeNet supplies the Lunacm utility program on all supported platforms, to perform that function and other maintenance functions.
Once a Luna HSM is initialized, no one can access it unless they provide the passwords or keys that unlock that specific HSM or Partition.
You can re-initialize a Luna HSM at any time (as SO). Re-initialization destroys all data on the token.
Luna HSMs are factory configured to be either:
•Password authenticated - uses typed text strings to access the HSM and authenticate to all roles on the HSM; advantage, greater convenience.
•PED authenticated - uses physical tokens, called PED Keys, mediated by a PIN Entry Device, or PED to access the HSM and authenticate to all roles on the HSM; advantage, greater security.
An HSM in the field cannot be changed from Password-authenticated to PED-authenticated, or from PED-authenticated to Password-authenticated. The only exception is the Luna Backup HSM, which configures itself at the time of a backup operation, to match the authentication scheme of the HSM being backed up - the Backup HSM performs Backup and Restore only, and has no ability to perform cryptographic operations
The product name "Luna" was taken from the name of the Luna moth, to conform with the originating company name "Chrysalis-ITS". The company name was derived from the hidden or secret existence of the moth as it developed within its cocoon, or the chrysalis. This was evocative of the hidden world of cryptography. Other moth names were considered for additional product lines, but the "Luna" brand very quickly achieved marketplace recognition and efforts were aligned under that brand.
After years of growing success with the Luna brand in the crypto markets, Chrysalis-ITS was acquired by SafeNet. Because the brand was well recognized and respected in the HSM marketplace, SafeNet maintained it.
Our SNMP MIB is still called CHRYSALIS.