The SafeNet Luna Hardware Security Module
Hardware Security Modules (HSMs) are dedicated systems that physically and logically secure cryptographic keys and cryptographic processing. The purpose of an HSM is to protect sensitive data from being stolen by providing a highly secure operation structure. HSMs are fully contained and complete solutions for cryptographic processing, key generation, and key storage. They are purpose-built appliances that automatically include the hardware and firmware (i.e., software) necessary for these functions in an integrated package.
An HSM manages cryptographic keys used to lock and unlock access to digitized information over their life-cycle. This includes generation, distribution, rotation, storage, termination, and archival functions. An HSM also engages in cryptographic processing, which produces the dual benefits of isolation and offloading cryptographic processing from application servers.
HSMs are typically available in two forms:
>Standalone network-attached appliances
>Hardware cards that plug into existing network-attached systems
These correspond to the SafeNet Luna Network HSM and SafeNet Luna PCIe HSM. There are several different SafeNet Luna HSM Models available for both types of HSMs each model is equipped with different performance capabilities to meet your needs.
For a high level overview of the distinctive features of the SafeNet Luna Network HSM and SafeNet Luna PCIe HSM, see Features
The SafeNet Luna Hardware Security Module is a sample architecture, displaying potential connections between your SafeNet Luna HSM(s), server(s), and workstation(s). Some of the elements are optional configuration items, and might not be present in your system.
Figure 1: PCIe HSM Connections
1.The PCIe HSM is a small card that fits in your system's connector slots, and it is accessed directly through the Luna client at your workstation. The client uses LunaCM for the configuration and administration of your PCIe HSM, and uses cryptographic APIs to perform cryptographic operations requested by your applications.
2.Backup HSMs are used exclusively to securely backup sensitive material from SafeNet Luna HSMs, and to restore backed-up material to SafeNet Luna HSMs. The SafeNet Luna Backup HSM can be connected
a. to the client host containing the primary HSM or
b.via Remote Backup Service (RBS) to a separate Backup HSM host, which allows you to further remove your backup to a more remote location.
Figure 2: Network HSM Connections
1.Within your SafeNet appliance lies an HSM. That HSM holds one or more application partitions (independent virtual HSMs) that different users or clients can access.
2.Initial setup of your HSM requires you to connect directly to it via serial cable. Post-setup, you can use SSH to remotely access your HSM. Both of these connections use LunaSH, the command-line interface or shell for appliance and HSM configuration and management.
3.To perform cryptographic operations with your HSM or Partition, you must login remotely through the Luna client at your workstation. The client uses LunaCM for the configuration and administration of your Partition, and uses cryptographic APIs such as PKCS#11, Java, JCPROV, CSP, and KSP to perform significant cryptographic operations.
4.Backup HSMs are used exclusively to securely backup sensitive material from SafeNet Luna HSMs, and to restore backed-up material to SafeNet Luna HSMs. The SafeNet Luna Backup HSM can be connected
a. to the appliance containing the primary HSM or
b. to a client workstation that can access the HSM or
c.via Remote Backup Service (RBS) to a separate Backup HSM host, which allows you to further remove your backup to a more remote location.
SafeNet Luna Network HSM
SafeNet Luna Network HSM stores, protects, and manages sensitive cryptographic keys in a centralized, high-assurance appliance, providing a root of trust for sensitive cryptographic data transactions. Deployed in more public cloud environments than any other HSM, SafeNet Luna Network HSM works seamlessly across your on-premises, private, public, hybrid, and multi-cloud environments. SafeNet Luna Network HSM is the most trusted general purpose HSM on the market, and with market leading performance, true hardware-based security, and the broadest ecosystem available, SafeNet Luna Network HSM is at the forefront of HSM innovation.
Ethernet-attached
An Ethernet-attached HSM, SafeNet Luna Network HSM is designed to protect critical cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. It includes many features that increase security connectivity and ease-of-administration in dedicated and shared security applications.
Integrated Cryptographic Engine
The SafeNet Luna Network HSM can be shared between multiple applications or clients connected to it through a network. In the same way that mail and web servers provide email or web pages to authenticated clients, the SafeNet Luna Network HSM offers powerful key management and high-performance cryptographic processing to clients on the network. To achieve this, the SafeNet Luna Network HSM includes an integrated FIPS 140-2- validated HSM and the Cryptographic Engine, which offers the same high level of security as traditional HSMs. Additionally, the SafeNet Luna Network HSM adds a secure service layer that allows the Cryptographic Engine to be shared between network clients.
Partitions
The SafeNet Luna Network HSM also introduces the concept of HSM partitions, a feature that allows the SafeNet Luna Network HSM’s single physical HSM to be divided into several logical HSM partitions, each with independent data, access controls, and administrative policies. HSM partitions can be thought of as ‘safety deposit boxes’ that reside within the Cryptographic Engine’s ‘vault’. The vault itself offers an extremely high level of security for all the contents inside, while the safety deposit boxes protect their specific contents from people who have access to the vault. HSM partitions allow separate data storage and administration policies to be maintained by multiple applications sharing one HSM without fear of compromise from other partitions residing on it. Each HSM partition has a special access control role who manages it. Depending on the configuration, each SafeNet Luna Network HSM can contain up to 100 partitions.
Dedicated Clients
HSM partitions can be dedicated to a single Client, or multiple Clients that share access to a single HSM partition. Clients are applications, or application servers, that connect to the SafeNet Luna Network HSM. Examples of possible clients are an encrypted database, a secure web server, or a Certificate Authority (CA); all these applications require the storage of sensitive cryptographic data or can benefit from the increased security and cryptographic performance offered by the SafeNet Luna Network HSM. Each Client is assigned to one or more specific HSM partitions. Clients authenticate to the SafeNet Luna Network HSM with a digital certificate and unique HSM partition challenge.
Employ the HSM as a Service
SafeNet Luna Network HSM empowers organizations to take a best practices approach to cryptographic key security by offloading cryptographic processes to a centralized, high-assurance key vault that can be deployed as a service. Only the SafeNet Luna Network HSM is able to provide trusted key owner ship and control, with full multi-tenancy across on-premises, private, public, hybrid, and multi-cloud environments.
SafeNet Luna PCIe HSM
SafeNet Luna PCIe HSM stores, protects, and manages sensitive cryptographic keys in a small form factor PCIe card, providing a root of trust for sensitive cryptographic data transactions. With SafeNet Luna PCIe HSM cryptographic processes are offloaded to a high-performance cryptographic processor. SafeNet Luna PCIe HSM easily embeds in servers and security appliances for an easy-to-integrate and cost-efficient solution for FIPS 140-2 validated key security. SafeNet Luna PCIe HSM benefits from a diverse feature set that enables greater centralized control through secure remote management, transport, and backup.
Single-partition
The SafeNet Luna PCIe HSM is a single-partition HSM card that you can embed in a pre-existing network-attached system. Access to the partition is managed by a special access control role. The SafeNet Luna PCIe HSM offers hardware accelerated ECC algorithms that can be used in the development of solutions for resource constrained environments (devices like smart phones, tablets, etc.), without the need to purchase additional licenses. ECC offers high key strength at a greatly reduced key length compared to RSA keys; higher security with fewer resources.
Cost Effective
Like in the SafeNet Luna Network HSM, the SafeNet Luna PCIe HSM securely stores cryptographic keys in its hardware; sensitive information never leaves the HSM. The SafeNet Luna PCIe HSM provides PKCS#11-compliant cryptographic services for applications running on the server in a secure and tamper-proof hardware package. Leveraging a SafeNet Luna PCIe HSM in your appliance or service represents a cost effective way to bring FIPS 140-2 and Common Criteria validated solutions to market.
SafeNet Luna PCIe HSM empowers organizations to take a best practices approach to cryptographic key security by offloading cryptographic processes to a dedicated small form factor cryptographic processor. SafeNet Luna PCIe HSM is the highest performing embedded HSM on the market.
Comparing the SafeNet Luna Network HSM Appliance and PCIe HSM
| SafeNet Luna Network HSM Appliance | SafeNet Luna PCIe HSM |
|---|---|
|
>Field-upgradable to 100 partitions >Includes hardened OS >High security, stable networking, and environmental protection via built-in chassis >Routine firmware and software updates >Automatic system logging |
>Limited to 1 partition >Compatible with external OS: Windows, Linux >Allows custom and flexible chassis intrusion security >Routine firmware updates >Light and low-cost |
A database server using an HSM would require one HSM, while a secure website using SSL on the same network would require a second, separate HSM. As the number of secure applications requiring an HSM grows, so does the number of ordinary HSMs deployed. The SafeNet Luna Network HSM bypasses this limitation by implementing multiple virtual HSMs, or HSM Partitions on a single HSM server. A PCIe HSM is useful for cases that need limited, but highly secure, data protection. A Network HSM and its appliance are useful for cases that require a more complex security infrastructure, like cloud computing.
SafeNet Luna HSM Models
Both the SafeNet Luna Network HSM and the SafeNet Luna PCIe HSM come in different models with different performance capabilities. Which one you choose to use will depend on your organization's security needs.
NOTE The FIPS levels below indicate the standard to which the product is designed. Always confirm the HSM certification status before deploying an HSM in a regulated environment.
Luna A (Password-authenticated, FIPS Level 3)
Luna A models offer secure storage of your cryptographic information in a controlled and easy-to-manage environment. Luna A models protect your proprietary information by using password authentication. Depending on your needs, Luna A models are available at several performance levels, as follows:
| Model | SafeNet Luna Network HSM | SafeNet Luna PCIe HSM |
|---|---|---|
| Luna A700 |
>Standard performance >2MB memory >Password-based authentication >5 partitions |
>Standard performance >2MB memory >Password-based authentication |
| Luna A750 |
>Enterprise-level performance >16MB memory >Password-based authentication >5 partitions, upgradable to 20 |
>Enterprise-level performance >16MB memory >Password-based authentication |
| Luna A790 |
>Maximum performance >32MB memory >Password-based authentication >10 partitions, upgradable to 100 |
>Maximum performance >32MB memory >Password-based authentication |
Luna S (PED-authenticated, FIPS Level 3)
Luna S models offer secure storage of your cryptographic information in a controlled and highly secure environment. Luna S models protect your proprietary information by using multifactor (PED) authentication. Depending on your needs, Luna S models are available at several performance levels, as follows:
| Model | SafeNet Luna Network HSM | SafeNet Luna PCIe HSM |
|---|---|---|
| Luna S700 |
>Standard performance >2MB memory >Multifactor authentication >5 partitions |
>Standard performance >2MB memory >Multifactor authentication |
| Luna S750 |
>Enterprise-level performance >16MB memory >Multifactor authentication >5 partitions, upgradable to 20 |
>Enterprise-level performance >16MB memory >Multifactor authentication |
| Luna S790 |
>Maximum performance >32MB memory >Multifactor authentication >10 partitions, upgradable to 100 |
>Maximum performance >32MB memory >Multifactor authentication |
