Luna HSM Client 10.9.2
Luna HSM Client 10.9.2 was released in February 2026. It includes bug fixes and security updates.
>Download Luna HSM Client 10.9.2 for Windows
>Download Luna HSM Client 10.9.2 for Linux
NOTE This version of Luna HSM Client is compatible with Luna HSMs with firmware 6.2.1 and newer. Features that do not have client version dependencies will function without issue.
CAUTION! Read the Advisory Notes before installing this update, to be aware of important changes that may require your attention.
Supported Operating Systems
You can install Luna HSM Client 10.9.2 on the following operating systems:
| Operating System | Version |
|---|---|
| Windows | 11 |
| Windows Server Standard | 2025 |
| 2022 | |
| 2019 | |
| 2016 | |
| Windows Server Core | 2022 |
| 2019 | |
| 2016 | |
| Red Hat Enterprise Linux (RHEL) | 10 |
| 9.0, 9.2, 9.4, 9.6** | |
| Red Hat Universal Base Image (UBI) | 10 |
| 9.0, 9.2, 9.4, 9.6 | |
|
Ubuntu * |
24.04.1 |
| 22.04 |
* The Linux installer for Luna HSM Client software is compiled as .rpm packages. To install on a Debian-based distribution, such as Ubuntu, alien is used to convert the packages. We used build-essential:
apt-get install build-essential alien
If you are using a Docker container or another such microservice to install the Luna Minimal Client on Ubuntu, and your initial client installation was on another supported Linux distribution as listed above, you do not require alien. Refer to the product documentation for instructions. You might need to account for your particular system and any pre-existing dependencies for your other applications.
** RHEL and CentOS 8.0-9.0 with their original kernels.
Secure Boot Support
Luna HSM Client can be used on all supported OS platforms in the table above, with Secure Boot enabled. If you are using Luna HSM Client to access partitions on a Luna Network HSM 7 only, no drivers are required. On Windows, the drivers for all other Luna HSM variants and components (Luna PCIe HSM 7, Luna USB HSM 7, Luna Backup HSM 7, Luna Backup HSM G5, Luna PED) are signed by Thales for use with Windows Secure Boot. In both these cases, you can proceed with the standard Luna HSM Client Software Installation procedure.
On Linux, these drivers are compiled for the host OS during Luna HSM Client installation. If Secure Boot is enabled on the host system, these drivers must be signed as directed by the host OS provider:
>Secure Boot on Red Hat Enterprise Linux
ESXi Passthrough
Luna PCIe HSM 7, Luna USB HSM 7, Luna Backup HSM 7, and Luna Backup HSM G5 can be used in passthrough mode, connected to an ESXi host.
CAUTION! You must set the ESXi power policy to High Performance to ensure that adequate power is supplied to the USB-connected devices.
The following combinations of ESXi version and virtual machine operating system are supported:
| ESXi Version | Supported VM OS's | |||
|---|---|---|---|---|
| ESXi 8.0 |
|
|||
|
ESXi 7.0 |
Windows 11, 2016, 2022, 2025 | |||
| RHEL 8.7, 8.8, 9.1, 9.5 | ||||
| Ubuntu 14.04, 18.04, 22.04, 24.04.1 | ||||
| ESXi 6.7 |
RHEL 8.7, 8.8, 9.0, 9.1, 9.2 Ubuntu 21.04, 22.04 Windows 2016, 2022 |
|||
| ESXi 6.5 | Windows Server Core 2019 | |||
| Windows Server Core 2016 |
Supported Cryptographic APIs
Applications can perform cryptographic operations using the following APIs:
>PKCS#11 2.20
>OpenSSL
>Microsoft CAPI
>Microsoft CNG
>Supported Java versions:
•Open JDK 8 up to Open JDK 25
•Oracle Java 8 up to JDK 25
•IBM Java 8 and 11
Advisory Notes
This section highlights important issues you should be aware of before deploying Luna HSM Client 10.9.2.
Security Change to NTLS Private Key Permissions
Beginning with Luna HSM Client 10.9.0, only the creator / owner of the private key is allowed to access the key, by default.
As part of our ongoing commitment to enhancing security, we have recently implemented changes to the access permissions for files containing sensitive keys or credentials. These adjustments are designed to minimize risks and protect your data from unauthorized access.
Why This Change Matters
Files containing private keys or secrets are high-risk targets for cyber threats. By reducing access rights, we ensure that only authorized users or processes can interact with these files. This approach aligns with the principle of least privilege, which limits potential exposure and helps prevent security breaches.
What Has Changed?
>File permissions have been updated to restrict access to essential personnel only.
>Unnecessary read, write, or execute permissions have been removed to reduce attack surfaces.
>Regular audits should be conducted to ensure compliance and detect any anomalies.
Benefits of This Update
>Enhanced Protection: Limits the risk of unauthorized access or accidental exposure.
>Compliance Alignment: Supports adherence to security best practices and regulatory requirements.
>Proactive Security: Reduces the likelihood of data breaches or credential theft.
We understand that changes like these may require adjustments to your workflows. If you encounter any issues or need further clarification, please reach out to our support team.
Your security is our priority, and we appreciate your cooperation in maintaining a secure environment.
What should you do?
By default, the originator/owner of NTLS private key would be the admin user, which would mean that other users or processes would be excluded from accessing the private key or folder. This might disrupt connections that are normally made by other users or processes.
You know the particular names and groups of personnel and processes that need access in your operations.
After installing the client on a new host, or after updating from a pre-10.9.0 version of Luna HSM Client,
>use the security access-control tools of your client operating system to grant specific, minimum access permission to only those users and groups that need it to function properly;
>add only the privileges they need, and
>grant access only for users or groups that absolutely require such permissions.
Installation Directory Changes
Using Luna HSM Client 10.9.2 or newer, header files have been moved away from the Samples directory to a more appropriate SDK directory when the SDK option is selected during client installation to enforce a clear separation in the Luna HSM Client installation.[
Windows:
C:/Program Files/SafeNet/LunaClient/ sdk/ include/ <header files that provide specifications of Thales and non APIs, esp. for using the PKCS#11 interface> external/ <third party headers> RSA/ lib/ samples/ (moved within sdk; and removed "p11samples" subdirectory for consistency) <include directory moved> <lib directory moved> src/ <rename source to src> move header files from here to include/ makefiles/ ecc_examples/ README.txt fmsdk/ (moved from samples/) include/ lib/ samples/ ...
Linux/AIX:
/usr/safenet/lunaclient/ sdk/ include/ <header files that provide specifications of Thales and non APIs, esp. for using the PKCS#11 interface> external/ <third party headers> RSA/ samples/ (moved within sdk) <include directory moved> src/ <rename source to src> move header files from here to include/ makefiles/ ecc_examples/ README.txt ... /usr/safenet/lunafmsdk/ (unchanged) include/ lib/ samples/
Backup/USB/PCIe Drivers Not Installed on Windows 10 or Windows Server 2022 Unless Device is Connected
Due to changes in Windows 10 and Server 2022, device drivers are not installed unless the USB or PCIe device is connected to the client workstation. If you plan to use a Luna Backup HSM 7, Luna Backup HSM G5, Luna USB HSM 7, or Luna PCIe HSM 7 with these operating systems, use one of the following workarounds:
>Connect the Luna device to the workstation (or install the Luna PCIe HSM 7 card) before installing the Luna HSM Client software
>After installing the Luna HSM Client software:
a.Connect the Luna device(s) to the workstation (or install the Luna PCIe HSM 7 card)
b.Run LunaHSMClient.exe.
c.Select the devices you want to install drivers for.
d.Click Modify.
CentOS 8.4 Missing Dependency
Due to a missing dependency on CentOS 8.4 [specifically the symlink (libnsl.so.1) to libnsl was removed], when installing Luna HSM Client 10.5.0 or newer, you must install an additional rpm package first:
Run yum install libnsl before invoking the install.sh script.
CSP/KSP Registrations Can Fail if Windows Update Missing
CSP or KSP registration includes a step that verifies the DLLs are signed by our certificate that chains back to the DigiCert root of trust G4 (in compliance with industry security standards).
This step can fail if your Windows operating system does not have the required certificate. If you have been keeping your Windows OS updated, you should already have that certificate.
If your Luna HSM Client host is connected to the internet, use the following commands to update the certificate manually:
certutil -urlcache -f http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
certutil -addstore -f root DigiCertTrustedRootG4.crt
To manually update a non-connected host
1. Download the DigiCert Trusted Root G4 (http://cacerts.digicert.com/DigiCertTrustedRootG4.crt) to a separate internet-connected computer.
2.Transport the certificate, using your approved means, to the Luna HSM Client host into a <downloaded cert path> location of your choice
3.Add the certificate to the certificate store using the command:
certutil -addstore -f root <downloaded cert path>
Luna HSM Client No Longer Supports Luna PCIe HSM 6 on any platform
Luna HSM Client 10.5.0 and newer cannot be used with a Luna PCIe HSM 6 that might be present in the host. If you need to use a version 6.x HSM card with your application, install Luna HSM Client 10.3.0 or older for Windows, or Luna HSM Client 10.4.1 or older for Linux.
CKR_MECHANISM_INVALID Messages in Mixed Luna Cloud HSM Implementations
When using a Luna Cloud HSM service with Luna HSM Client, you might encounter errors like "CKR_MECHANISM_INVALID" or "Error NCryptFinalizeKey" during some operations in Hybrid HA and FIPS mode (3DES Issue). This can occur if firmware versions differ between a Luna HSM partition and a Luna Cloud HSM service in an HA group when you invoke a mechanism that is supported on one but not the other. Similarly, if one member is in FIPS mode, while the other is not, a mechanism might be requested that is allowed for one member, but not the other. For example, the ms2luna tool can fail when 3DES operations are invoked.
