New Features and Enhancements

Scalable Key Storage (SKS) is an optional feature that allows off-board storage of keys and objects in quantities greater than the capacity of an HSM - virtually unlimited storage, for use with your RSS (Remote Signing and Sealing) and other applications that require thousands or millions of keys. An SKS Master Key (SMK, which never leaves the HSM) securely encrypts extracted keys and objects, such that they remain within the HSM's security envelope, and can be reinserted (decrypted inside the HSM) for immediate use by your application.

Preserves key attributes through the life-cycle of a key.

Provides the option of new SKS function, or classic Luna "keys always in hardware" operation, on a partition-by-partition basis.

See Scalable Key Storage (SKS).

Per-Key Authorization (requires firmware 7.7.0)

PKA Allows granular control of key material for applications requiring high assurance by providing authorization on a per-key basis.

See Per-Key Authorization (PKA).

STC Usability and eIDAS Compliant Security is Added (requires firmware 7.7.0)

STC policy is improved, with fewer steps in setup. The use (and configuration) of Admin channel is removed. The partition identity is now a certificate.

See Client-Partition Connections.

NTLS Appliance Certificates Signed by Third Party CA

Luna Network HSM appliance now facilitates the use of communications-securing NTLS certificates from third-party Certification Authorities, while continuing to support use of self-signed certificates where desired.

See Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority.

Luna Backup HSM (G5) and (G7)

Thales has previously introduced Luna Backup HSM (G7) models B700 and B750, and now introduces the new model B790 model, which includes 256 MB of storage and up to 100 backup partitions (model versions/sizes must be decided when purchasing, and are not field-installable upgrades of each other). Local backup is supported with Luna HSM 7.7.0 and later.

Luna Backup HSM (G5) at firmware 6.28.0 is supported with Luna HSM 7.7.0.

See Backup and Restore Using a Luna Backup HSM (G7).

Luna HSM Client 10.2.0

New Luna HSM Client Operating System Support

Luna HSM Client 10.2.0 can be installed on the following new operating systems:

>Windows Server Core 2016/2019

>Red Hat Enterprise Linux 8 (including variants like CentOS 8)

>AIX 7.2

See Supported Luna HSM Client Operating Systems.

Support for New Mechanisms in Luna HSM Firmware 7.4.2

Luna HSM Client 10.2.0 includes support for Luna HSM firmware 7.4.2 mechanisms.

>3GPP Mechanisms for 5G Mobile Networks

>SM2/SM4 Mechanisms

>SHA-3 Mechanisms

Luna HSM Firmware 7.4.2

This release adds support for 3GPP, SM2/SM4, and SHA-3 cryptographic functions to Luna Network HSMs. It consists of:

>Luna HSM firmware 7.4.2

>Luna HSM Client 7.4.0 software patch

3GPP Cryptography for 5G Mobile Networks

The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM.

See 3GPP Mechanisms for 5G Mobile Networks.

SM2/SM4 Support

SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4.

See SM2/SM4 Mechanisms.

SHA-3 Function Support

This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters.

See SHA-3 Mechanisms.

Luna HSM Client 10.1.0

This release consists of:

>Luna HSM Client 10.1.0

Luna HSM Client 10.1 Supports Both Luna HSMs and DPoD HSM on Demand Services

Luna HSM Client can now be used with HSM on Demand services provided by Thales Data Protection on Demand. This allows you to migrate keys from a password-authenticated Luna HSM partition to an HSMoD service or vice-versa, set up High-Availability (HA) groups that include both password-authenticated Luna partitions and HSMoD services, and operate your local (Luna PCIe), remote (Luna Network), and cloud (HSMoD) HSM solutions on the same client workstation.

HSMoD client compatibility is limited to Windows and Red Hat Enterprise Linux 7-based operating systems in this release.

Refer to the following sections:

>Adding a Luna Cloud HSM Service

>Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM

Luna G7 Backup HSM

Thales is pleased to announce the availability of the Luna G7 Backup HSM – a full-featured, hand-held, USB-attached backup HSM that includes an informational full-color display.

You can use the Luna G7 Backup HSM to backup your Luna HSM 5.x, 6.x, and 7.x user partitions.

The Luna G7 Backup HSM connects easily to a client workstation using the included USB 3.0 Type C cable, and includes a universal 5V external power supply, which may be required to power the device in some instances.

NOTE The smart card slot located at the bottom front of the unit is reserved for future use and has been disabled in this release.

For detailed usage instructions, see Backup and Restore Using a Luna Backup HSM (G7).

Models

The Luna G7 Backup HSM is available in the following models. All models can be initialized in PED or password-authenticated mode for backing up either PED or password authenticated partitions. In-field storage upgrades are not available.

B700	32 MB storage, up to 100 partitions of the same authentication type
B750	128 MB storage, up to 100 partitions of the same authentication type
B790	256 MB storage, up to 100 partitions of the same authentication type

To use the Luna G7 Backup HSM, you must upgrade to Luna HSM Client 10.1, a client-only field update for Linux and Windows. Luna HSM Client 10.1 provides the drivers and software updates you need to use the Luna G7 Backup HSM.

Remote PED Support on Linux

You can now host Remote PED services on a Linux workstation.

See Remote PED Setup.

Client Certificates Signed by a Trusted Certificate Authority

Luna HSM Client 10.1 allows you to use client certificates signed by a trusted Certificate Authority (CA), which can be a commercial third-party CA or your organization's own signing station.

See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority.

Windows Secure Boot Support

The drivers included with the Luna HSM Client software for Luna PCIe HSMs, Luna Backup HSMs, Luna USB HSMs, and Luna PEDs now support Windows Secure Boot.

Luna Network HSM Release 7.4

This release consists of:

>Luna HSM Client 7.4.0

>Luna Network HSM appliance software 7.4.0

>Luna HSM firmware 7.4.0

Functionality Modules

Luna Network HSM 7.4 introduces Functionality Modules (FMs). FMs consist of your own custom-developed code, loaded and operating within the logical and physical security of a Luna Network HSM as part of the HSM firmware. FMs allow you to customize your Luna Network HSM's functionality to suit the needs of your organization. Custom functionality provided by your own FMs can include:

>new cryptographic algorithms, including Quantum algorithms

>security-sensitive code, isolated from the rest of the HSM environment

>keys and critical parameters managed by the FM, independent from standard PKCS#11 objects, held in tamper-protected persistent storage

To create FMs, you will need the Functionality Module Software Development Kit (SDK), which is included with the Luna HSM Client software. Applications that use FM functions are supported on Windows and Linux.

CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset. Refer to FM Deployment Constraints for details before enabling.

See About the FM SDK Programming Guide and Functionality Modules for details and procedures.

View Utilization Metrics by Partition

Release 7.4 allows you to view utilization metrics for an individual partition or a specified list of partitions.

See Partition Utilization Metrics for details.

Ed25519ph Curve

Luna Network HSM firmware version 7.4.0 includes support for the ed25519ph curve variant.

See CKM_EDDSA for details.

Luna Network HSM Release 7.3

This release consists of:

>Luna HSM Client 7.3.0

>Luna Network HSM appliance software 7.3.0

>Luna HSM firmware 7.3.0

Appliance Re-Image

Luna Network HSM 7.3 allows you to re-image the appliance to a pre-installed baseline version. This procedure formats the Luna Network HSM file system, zeroizes the HSM, erases the appliance configuration, and resets the appliance software to Luna 7.2 and the HSM firmware to version 7.0.3. This capability is useful if you are re-purposing an HSM for a project that has standardized on an earlier software/firmware configuration, or if you need to format the appliance completely and remove all trace of its prior configuration (requires firmware 7.3.0).

See Re-Imaging the Appliance to Factory Baseline.

Partition Utilization Metrics

Luna Network HSM 7.3 allows the HSM SO to access utilization records for all partitions on the HSM. This information is restricted to operation counts, and shows which partitions are using the HSM's resources. Information about which keys are being used for which operation is still restricted to the Auditor (requires firmware 7.3.0).

See Partition Utilization Metrics.

BIP32 Algorithm

Luna Network HSM 7.3 includes new mechanisms that use the BIP32 cryptographic algorithm. This allows Luna Network HSM to support applications that use Hierarchical Deterministic Wallets, used in Bitcoin and blockchain transactions (requires firmware 7.3.0).

JavaSP support for ECC Curve 25519

The Luna Java Provider now includes support for mechanisms using ECC Curve 25519.

Luna Network HSM Release 7.2

This release consists of:

>Luna HSM Client 7.2.0

>Luna Network HSM appliance software 7.2.0

>Luna HSM firmware 7.2.0

10 Gbps Optical NIC Luna Network HSM Support

Thales is pleased to announce the availability of the 10 Gbps optical NIC Luna Network HSM. This product variant provides two 10G optical network interfaces and two 1G copper network interfaces, as opposed to the standard 1G model which provides four 1G copper network interfaces.

The 10G Luna Network HSM provides two 10G SFP optical Ethernet network interfaces (labeled 0 and 1), and two 1G copper RJ45 network interfaces (labeled 2 and 3), as illustrated below. You can optionally bond eth0 and eth1 to bond0, or eth2 and eth3 to bond1, to provide a redundant active/standby virtual interface.

Improved Luna HSM Client

Release 7.2 adds improvements to the Luna HSM Client software:

>Enhanced Version Compatibility for Luna HSM Client — Version 7.2 and newer Luna HSM Client can be used with HSMs running Luna 6.2.1 or higher, or any Luna 7 version, without conflict. Luna HSM Client 7.2 and newer versions can coexist in large deployments. You can schedule client roll-outs at your convenience, without need to match versions across your organization. Future HSM features that do not have client-version dependencies will function without issue.

>Mixed-Version HA Groups — HA groups containing both Luna Network HSM 6 and 7 partitions are now supported using Luna HSM Client 7.2 or newer. This mixed-version configuration is useful for migrating keys to a new Luna Network HSM 7, or to gradually upgrade your production environment from Luna 6 to Luna 7.

>Improved Client Installer with User-Defined Install Paths (Windows) — Luna HSM Client can be installed at user-selected locations (file paths with sufficient space), and installed Client software can be modified without uninstalling and reinstalling.

>User-Defined Client Install Paths (Linux) — Linux root-level users can install the Luna HSM Client software to an installation directory of their choice.

>Minimal Client (Linux) — The Luna Minimal Client for Linux provides only the files needed to use an application with a partition on a Luna Network HSM for deployment in Docker containers and similar microservice environments. The Luna Minimal Client can be installed on a workstation without root access.

Configurable Cipher Suites

You can now configure the TLS cipher suites used by NTLS, STC, and PEDserver on the Luna Network HSM. This new capability allows administrators to select and configure cipher strength to meet their internal security objectives and compliance requirements.

The cipher suites are configured using the new sysconf tls cipher LunaSH commands. The available set of ciphers is displayed in default order. Users can choose which ciphers from the set to use, as well as the order of preference for TLS cipher-suite negotiation. The modified cipher list and order can also be exported as a template; the template can then be used to configure TLS cipher suites on multiple HSMs.

Customizable System Logging

You can now customize local and remote system logging according to message severity. There is no limit on the number of remote logging servers you can add, and you can configure the severity level for each server and log type independently. For example, you could send all log entries produced by the appliance to one remote server, and only entries marked critical or higher to another. Storing only the most severe (infrequent) entries locally on the appliance can prevent the syslog directory from filling up over time.

Rename/Relabel Partitions

The HSM SO can now change the name assigned to a partition on creation. This does not affect the label set by the Partition SO during initialization and is only visible in LunaSH. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose (Requires firmware 7.2.0).

The Partition SO can now change the label of an initialized partition (Requires firmware 7.2.0).

Initialize the Orange RPV Key Remotely

You can now initialize the Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the appliance. The HSM must be in a zeroized state (uninitialized), for security. Your firewall settings must allow an HSM-initiated Remote PED connection (Requires firmware 7.2.0).

Crypto User Can Clone Public Objects

The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication (Requires firmware 7.2.0).

Auto-Enabled HA Logging

Luna HSM Client now automatically enables HA logging, either when you create the first HA group, or when you update the Luna HSM Client to 7.2.0 and it detects a previously-configured HA group. If you manually turn HA logging off, logging is not auto-enabled for new HA groups.

SCP03 Encoding

The SCP03 encoding scheme, as defined in NIST SP 800-108, is now supported for Global Platform.

REST API 6.0

REST API 6.0 is included with the Luna Network HSM 7.2 release. Customers who update their appliance software to version 7.2.0 will automatically receive the REST API 6.0 update. REST API 6.0 contains the following new features:

>Appliance Upgrade Management — Manage Thales Licensing Portal partition upgrade packs using REST API.

>Package and Firmware Update Management — Update, verify, list, and delete secure packages with REST API, including firmware updates.

>Multi-Part Upload Requests — Upgrade your HSMs via a single REST API call, improving performance and efficiency.

>Configurable REST API Users and Roles — Manage REST API users and roles (add, remove, modify, show, list) using REST API.

>Configurable REST API Access Control List -- Modify role access using REST API, by importing and exporting lists of available resources.

Luna Network HSM Release 7.1

This release consists of:

>Luna HSM Client 7.1.0

>Luna Network HSM appliance software 7.1.0

>Luna HSM firmware 7.1.0

Policy Templates

The HSM or Partition SO can save a copy of their organization's preferred HSM or partition policy settings to a template. They can then use this template to configure policy settings when initializing other HSMs or partitions.

This can save time and effort when deploying multiple HSMs or partitions. It also ensures consistency across your HSMs and partitions, which helps to simplify future audit and compliance requirements.

See Setting HSM Policies Using a Template and Setting Partition Policies Using a Template.

Configurable Policies for Export of Private Keys

The Partition SO can use partition policies to control whether or not the private keys in a given partition can be exported off the HSM. The ability to export private keys is particularly useful in use cases such as smart card & identity issuance, secure manufacturing, etc.

This gives organizations the ability to support a wider variety of use cases with their HSM, and also provides Partition SOs with more flexibility overall.

See Configuring the Partition for Cloning or Export of Private Keys.

Curve 25519 Available in FIPS Mode

Curve 25519 is now available for use in FIPS mode.

REST API 5.0

REST API 5.0 is included with the Luna HSM 7.1 release. Customers who upgrade their appliance to 7.1 will automatically receive the REST API 5.0 update as part of the upgrade.

REST API provides a set of web services which customers can use to communicate with and provision the HSM.

See REST API Reference.

Luna Network HSM Release 7.0

This release consists of:

>New Luna Network HSM appliance

>Luna HSM Client 7.0.0

>Luna Network HSM appliance software 7.0.0

>Luna HSM firmware 7.0.1

New Luna Network HSM Appliance

The Luna Network HSM 7 has a new chassis and offers enhanced installation, maintenance, security, and usability features, including the following:

>Optional sliding mounting rails provide simplified installation and improved access for performing maintenance tasks and accessing the network ports.

>A locking faceplate bezel restricts access to the front of the appliance for enhanced security.

>A new LCD display provides a quick view of the appliance network configuration and overall health.

>Four 1GB Ethernet interface ports with port bonding (eth0 and eth1 to bond0 and/or eth2 and eth3 to bond1), for redundancy and enhanced reliability.

See Appliance Hardware Functions.

Partition Security Officer

All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM, providing a highly secure multi-tenant solution.

See Partition Roles.

Best-in-Class Performance

Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.

Industry-Leading Security

Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.

Improved Random Number Generation

The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:

>SP800-90B

>SP800-90C

>BSI DRG.4

New Cryptographic Mechanism Support

Luna Network HSM 7 adds support for the following cryptographic algorithms:

>SP800-108 HMAC (RSA & ECC)

>SP800-38F (KWP)

>Curve 25519

>AES-XTS - disk encryption standard

Increased Key Storage Capacity

Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).

Secure Transport Mode Redesigned

Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.

See Secure Transport Mode.

REST API

The Luna Network HSM REST API web application allows you to use a set of scriptable REST APIs to perform some LunaSH functions.

See REST API Reference.

IPv6

The Luna Network HSM7.7.0 now supports IPv6, using static addressing, SLAAC, or DHCP.

See IPv6 Support and Limitations.

Improved Serial Access

Serial access to the Luna Network HSM is via an RJ45 serial port. A custom Prolific Technologies USB to RJ45 cable with a standard 8P8C modular connector is included. The cable requires the PL2303 driver, which you can download from http://www.prolific.com.tw.

See Opening a Serial Connection.

Enable Decommission on Tamper

A new capability, Enable Decommission on Tamper, allows you to set HSM policy 40 to decommission the HSM in the event of a tamper.

See HSM Capabilities and Policies.

Controlled Tamper Recovery

If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.

See Tamper Events.