Version Dependencies by Feature

Some of the Luna Network HSM 7 functionality described in the documentation has been introduced in updates since the initial product release. For your own reasons, you might wish to apply some aspects of a product update and not others. For example:

>you could choose to update appliance or client software while keeping an earlier, FIPS-certified firmware version

>if you are maintaining a large number of client workstations, it might be cumbersome to apply software updates to all of them

The following table outlines the Luna Network HSM 7 functions that depend on a certain software/firmware version, or have other requirements you must consider.

Function Minimum Version Requirements Notes

Low-latency HA status

Client: 10.7.0

Query the HA virtual slot to quickly get the status.

Change password for all HA members

Client: 10.7.0

A single lunacm command (invoked on the HA virtual partition slot) changes the CO password for all partitions in that HA group..

Mechanisms/operations blocked

Firmware: 7.8.4

Beginning with Luna HSM Firmware 7.8.4, to align with FIPS 140-3 requirements, any forward operations using 3DES are no longer allowed in approved mode, even if a block/usage counter is in place (forward operation = encrypt, sign, wrap).

ED448 and Curve448 support

Firmware: 7.8.4

Beginning with Luna HSM Firmware 7.8.4, support for Edwards curve 448 and Curve448 is added.

Package list output revised

Appliance: 7.8.4

The package list output is filtered for compactness and relevance.

Enhanced access control of Clients, using extended DN attribute validation

Appliance: 7.8.4

Previously, validation of a client certificate was against the common name (CN) only. Using Luna Appliance Software 7.8.4 and newer, validation matches multiple fields of the distinguished name (DN).

Configurable key size and type support for NTLS and SSH

Appliance: 7.8.4

Client: 10.7.0

Key size can be specified for RSA, other key types can be specified, and curve can be specified for appropriate key type.

Cryptographic traffic control

Appliance: 7.8.3

Measure bandwidth usage per client, and manage "noisy neighbors". See Crypto Traffic Controller for QoS.

CA-signed Client Certificates Can be Registered without being Copied to Luna Network HSM

Appliance: 7.8.3

Specify a -nocert option to register a client for NTLS without immediate need for a CA-signed certificate from the client.

Configurable SSH ciphers

Appliance: 7.8.3

Customize Luna Network HSM 7 SSH ciphers used by the appliance.

Configurable TLS ciphers

Appliance: 7.8.3

Client: 10.6.0

Customize Luna Network HSM 7 TLS ciphers used by the appliance.

Certificate rotation in HA Mode

Client: 10.6.0

A new certificate is used immediately upon recovery of an HA member, rather than using a cached copy of the outgoing cert, as in previous releases. There is no need to launch a new client instance to invoke a new certificate.

Key translation function for 5G

Firmware: 7.8.2

Allows to securely import subscriber authentication keys into a 5G authentication platform (UDM).

See Luna Key Translation.

Choose whether a password change logs out all sessions

Firmware: 7.8.2

Client: 10.5.1

You can now choose whether open sessions are allowed to continue under the previous authentication until overtly closed (such as during routine password rollover) or are immediately logged out when role changepw, role resetpw.

HMAC accepts zero-byte input

Firmware: 7.8.2

All cryptographic mechanisms with "HMAC" in the name now accept zero-byte input.

Session memory management optimization

Firmware: 7.8.2

Perform appropriate administration tasks, maintain the availability of your platform, and prevent a crash, when applications are lax in releasing resources.

New Configuration File Entry Used to Refresh Partition Label Cache Client: 10.5.1 Refresh application partition and keyring labels without requiring an application restart.
Support for AIX and RHEL 9 Client: 10.5.1 See Supported Operating Systems.
Cluster and Keyring enhancements Client: 10.5.1 Improvements to the Cluster/Keyring evaluation Technical Preview.

Partition Configuration Management in Luna Shell (lunash)


Appliance: 7.8.1

Firmware: 7.8.1

New commands added. See partition for the full list of partition commands in LunaSH.

Time management by HSM SO

>hsm time

Appliance: 7.8.1

Firmware: 7.8.1

New commands added. See hsm time for the full list of partition commands in LunaSH.

Clusters and Keyrings (technical preview)

Appliance: 7.8.1

Firmware: 7.8.1

Appliance-mediated redundancy and high availability (contrast with client-mediated HA already in use), and a more granular alternative to the partition model for handling keys. Requires installing a secure package, and is made available for early evaluation only, at this time.

Configurable mutex folder on Linux

Client: 10.5.0

Can set a custom location for temporary files. See Configuration File Summary.

Universal Cloning

Firmware: 7.8.1

Client: 10.5.0


>Updated encryption

>Enhanced cipher suite options

>Multiple domains per partition

>Session Key lifetime management

See Universal Cloning.

NOTE: Firmware 7.8.0 was replaced by firmware 7.8.1 so as to have the most robust candidate possible under FIPS evaluation. Any features that were originally attributed to 7.8.0 are listed in this table as belonging to firmware 7.8.1, and 7.8.0 is withdrawn.

ECIES Hardware Acceleration using Curve25519

Firmware: 7.7.2

Adds enhanced performance for ECIES using Curve25519.


Firmware: 7.7.2

processing of Subscription Concealed Identifier (SUCI) de-concealment requests. See CKM_ECIES.

Key Wrapping/Unwrapping with AES GCM

Firmware: 7.7.2

Supports wrap/unwrap operations using the CKM_AES_GCM mechanism.

Validate Integrity of Functionality Modules

Firmware: 7.7.2

Assist the verification of FMs in compliance with industry and national standards. See FMSW_GetImage API to validate an FM.

Clone Objects From Multifactor Quorum-Authenticated Luna HSMs to Luna Cloud HSM

Client: 10.4.1

You can now use Luna Cloud HSM services to back up any Luna 7 HSM securely in the cloud.

CMU allows Crypto User Login

Client: 10.4.0 Refer to cmu.

Updates and Enhancements to High Availability Functionality

Client: 10.4.0

>SimMultisign in JCPROV (requires minimum Luna HSM Firmware 7.7.0)

>ECIES structure CK_ECIES_PARAMS_EXT in JCPROV (requires minimum Luna HSM Firmware 7.7.0)
>New HA Login API in JCPROV (requires minimum Luna HSM Firmware 7.7.0). Includes a new sample,

>SHA-3 in JCPROV/JSP (requires minimum Luna HSM Firmware 7.4.2)

>BIP32 Sample Java Application Extended to Demonstrate BIP44 Key Derivation (requires minimum Luna HSM Firmware 7.3.0)

Refer to Luna HSM Client 10.4.0 and Luna HSM Client 10.4.0 for more information.

Updates and Enhancements to Java Provider

Client: 10.4.0

>OUID Methods GetObjectUID and GetObjectHandle Usable With HA Groups

>CK_MILENAGE_SIGN_PARAMS can now be used in HA Groups (requires minimum Luna HSM Firmware 7.4.2)

Refer to High-Availability Groups.


Client: 10.4.0

Now possible to set CKA_EXTRACTABLE when creating private keys using Luna KSP.

Network HSM Admin can initialize partitions via Luna Shell

>partition init

Appliance: 7.7.1

Luna Shell (lunash) on the Network HSM appliance now includes partition init and partition initco commands to initialize a new partition.

Allowlisting of permitted IP addresses for control of SSH access to the Network HSM appliance

>sysconf ssh client

Appliance: 7.7.1

Optionally configure and manage SSH access control at the HSM appliance, by creating an allowlist of IP addresses that are permitted to connect to a given HSM appliance userid via SSH.

REST API supports use of third-party certificates

>see REST API 10.0.0 Reference in REST API References

Appliance: 7.7.1

REST API 10 for Luna Network HSM now allows you to use client certificates signed by a trusted Certificate Authority (CA).

REST API provides additional capabilities previously available only in Luna Shell

>see REST API 10.0.0 Reference in REST API References

Appliance: 7.7.1

REST API 10 for Luna Network HSM adds equivalents for lunash token backup commands, sysconf config commands, and any status commands and ntls commands not previously migrated.

REST API enables CSR generation

>see REST API 10.0.0 Reference in REST API References

Appliance: 7.7.1

REST API 10 for Luna Network HSM adds equivalents for lunash token backup commands, sysconf config commands, and any status commands and ntls commands not previously migrated.

SSH inactivity timeout

Appliance: 7.7.1

SSH sessions now timeout after 30 minutes of inactivity.

SHA1 ciphers are disabled for SSH

Appliance: 7.7.1

For security, the appliance does not allow SHA1 ciphers when negotiating a connection.

Mandatory password while creating a user


Appliance: 7.7.1

The command prompts for a password, and proceeds when one is provided.

V0 and V1 partitions

>Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

This new cloning protocol is a necessary underpinning for some of the features that ensure eIDAS compatibility. It affects backup and restore operations, High Availability, Scalable Key Storage. Migration from earlier cloning-version HSMs is one-way V0/V1 HSMs/partitions can accept and decrypt older objects, but can encrypt and export only V0/V1 objects.

Scalable Key Storage

>Scalable Key Storage

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

SKS allows off-boarding of objects and keys as encrypted blobs, for handling of much greater numbers of objects than can be contained within the HSM. With firmware 7.7.0, backup and restore and HA are implemented using SKS blobs, while the latest cloning protocol is used for replicating or archiving the SKS Master Key (that encrypts and decrypts the blobs).
Migration from the earlier version of SKS in firmware 6.xis supported, but the reverse direction is not.

Per-Key Authorization (PKA)

>Per-Key Authorization

Client: 10.3.0

Appliance: 7.7

Firmware: 7.7.0

PKA meets a requirement of PP 419-221.5, and allows each key in a partition to have its own authorization and rules governing its use, including integration with a SAM. and sole control of keys. The resulting overhead increases the size of partition headers, affecting the size and number of objects that can be stored, which invokes new considerations for backup and restore.

Existing applications (with no PKA awareness) can still work if the new Client Cryptoki library is installed. Existing partitions become "backward compatible" when the HSM is upgraded to f/w 7.7.0. New partitions can be backward compatible or PP 419-221.5-compatible by setting an option at creation time.

Luna G7 Backup HSM Firmware 7.7.1

>Updating the Luna Backup HSM 7 Firmware

>Rolling Back the Luna Backup HSM 7 Firmware

Client: 10.3.0

Appliance: 7.7.0

The Luna G7 Backup HSM requires minimum firmware 7.7.1 to back up and restore Luna 7.7.x partitions, or to migrate keys from Luna HSMs using older firmware. You require, at minimum, Luna HSM Client 10.3.0 or Luna Network HSM 7 appliance software 7.7.0 to upgrade the Luna G7 Backup HSM firmware. The Backup HSM firmware is included with the appliance software secure package, or it can be downloaded as a separate file from the Thales Customer Support Portal.

Appliance-Connected Luna G7 Backup HSM

>Backup/Restore Using Appliance-Connected Luna Backup HSM 7 v1

Appliance: 7.7.0 The Luna G7 Backup HSM can now be connected to one of the USB ports on the Luna Network HSM 7 appliance and operated using LunaSH.

Updated Secure Trusted Channel

>Creating an STC Connection

>Converting Initialized NTLS Partitions to STC

Client: 10.3.0

Appliance: 7.7.0

Firmware: 7.7.0

Secure Trusted Channel (STC) connections have been updated for the Luna 7.7.0 release. Refer to Migrating STC Connections to Luna HSM Firmware 7.7.0 or Newer for important instructions on updating your existing STC partitions.

Client and Appliance Certificates can be Signed by a Trusted Certificate Authority

>Creating an NTLS Connection Using Certificates Signed by a Trusted Certificate Authority

Client: 10.1.0

Appliance: 7.7

Prior to the release of appliance software version 7.7.0, only the client-side certificate could be signed by a third-party CA, using Luna HSM Client 10.1.0 or newer. See Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority for that procedure.

Support for Multiple Trap Targets

>Configuring and Enabling Traps on Luna Network HSM 7

Appliance: 7.7.0


Support for 3GPP, SM2/SM4, and SHA-3 Cryptographic Algorithms

>3GPP Mechanisms for 5G Mobile Networks

>SM2/SM4 Mechanisms

>SHA-3 Mechanisms

Firmware: 7.4.2

Client: 10.2
(or patched 7.4)

Refer also to Firmware 7.4.2 Mechanisms for descriptions of the applicable mechanisms. Refer to the Luna HSM Firmware 7.4.2 Technical Note for installation instructions.

DPoD Luna Cloud HSM Support

>Adding a Luna Cloud HSM Service

Client: 10.1 Refer to Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum for more information on using a Luna Cloud HSM service with Luna HSMs.

Remote PED Server Support on Linux Clients

>About Remote PED

Client: 10.1  

Client NTLS Certificates can be Signed by a Trusted Certificate Authority

>Creating an NTLS Connection Using a Self-Signed Appliance Certificate and a Client Certificate Signed by a Trusted Certificate Authority

Client: 10.1  

Luna Backup HSM 7 Support

>Backup/Restore Using Client-Connected Luna Backup HSM 7 v1

Client: 10.1  

Functionality Modules

>Functionality Modules

>About the FM SDK Programming Guide

Hardware: FM-Ready

Firmware: 7.4.0

Appliance: 7.4

Client: 7.4

Refer to Preparing the Luna Network HSM 7 to Use FMs for an overview of hardware/software/firmware requirements.

Manage Allowed Origin Domains for REST API

>webserver origin

Appliance: 7.4


Support for BIP32 Cryptographic Algorithms

>BIP32 Mechanism Support and Implementation

Firmware: 7.3.0

Client: 7.3.0

Refer also to Firmware 7.3.0 Mechanisms for descriptions of the applicable mechanisms.

Appliance Re-image

>Re-Imaging the Appliance to Baseline Software/Firmware Versions

Firmware: 7.3.0

Appliance: 7.3

The Appliance Re-image feature is not supported on HSMs that use Functionality Modules. If you have ever enabled HSM policy 50: Allow Functionality Modules, even if the policy is currently disabled, you cannot re-image the HSM appliance. See FM Deployment Constraints for details.

Partition Utilization Metrics

>Partition Utilization Metrics

Firmware: 7.3.0

Appliance: 7.3

Client: 7.3


Improved Luna HSM Client

>Version-Compatible Luna HSM Client (Luna HSMs version 6.2.1 and higher)

>Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM, Password or Multifactor Quorum

>Modifying the Installed Windows Luna HSM Client Software

>User-Defined Luna HSM Client install paths

>Luna Minimal Client (for Linux)

Client: 7.2

>Luna HSM Client 10.1 or higher is required to use Luna partitions with DPoD Luna Cloud HSM services

>The PE1756Enabled setting on Luna 6.x HSMs is not supported for use with the Version-Compatible Luna HSM Client

>Minimum OS requirements for Luna HSM Client 7.2 must be met (Refer to the CRN for details)

>Minimal Client does not include tools, and is intended for customer application containers connecting to the Network HSM. A separate full Luna HSM Client installation and configuration must be performed on the container host (and the resulting config file and certificate folders saved on the host), to establish NTLS or STC connections for use by the containers (note, STC is replaced by STC2 in release 7.7.0 (and client 10.3) with a new database format and file locations.

Initialize the orange RPV key remotely

>Remote RPV Initialization

Appliance: 7.2

Client: 7.2


Configure Cipher Suites

>Setting TLS Ciphers

Appliance: 7.2

Client: 7.2

The Luna 7.2 appliance update includes the sysconf tls ciphers LunaSH commands, but you must update Luna HSM Client to use any of the newly-included ciphers. For older clients, the ciphers available for negotiation are those that are common to your client version and to the updated Network HSM.

Customize system logging by severity level

>Customizing Severity Levels

>Customizing Remote Logging Severity Levels

Appliance: 7.2

If you were using remote logging before you upgraded the appliance software to 7.2, you must delete any existing remote hosts (see syslog remotehost delete) and re-add them before you can customize severity levels.

Re-name/Re-label partitions

>partition rename

>partition changelabel

Firmware: 7.2.0

Appliance: 7.2

Client: 7.2

Crypto User can clone public objects Firmware: 7.2.0

The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication.

Configure partition policies for export of private keys

>Configuring the Partition for Cloning or Export of Private/Secret Keys

Firmware: 7.1.0

You can configure partition policies for Cloning or Key Export Mode manually, as long as you have updated the HSM firmware. To set these modes using Policy Templates, you must meet the Policy Template requirements.

Policy Templates

>Setting HSM Policies Using a Template

>Setting Partition Policies Using a Template

Firmware: 7.1.0

Appliance: 7.1

Client: 7.1