Luna USB HSM 7 Firmware 7.7.2

Luna USB HSM 7 firmware version 7.7.2 was released in August 2022, installed on Thales's new Luna USB HSM 7.

New Features and Enhancements

Luna USB HSM 7 stores, protects, and manages sensitive cryptographic keys in a small form factor handheld device, providing a root of trust for sensitive cryptographic data transactions. Luna USB HSM 7 connects directly to a client workstation to provide PKCS#11-compliant cryptographic services, and can be secured safely as an offline root of trust. Luna USB HSM 7 provides easy multifactor quorum authentication, using USB iKey connected directly to the HSM and its built-in touchscreen to authenticate critical roles.

Portable

The Luna USB HSM 7's hand-held form factor and USB connectivity make it the most portable model of Luna HSM. This allows you to easily store your important keys and connect the device to any client to perform cryptographic operations.

Easy to Store and Use

The Luna USB HSM 7 can be stored indefinitely, making it ideal to safely store an offline root of trust, and retrieve from storage only when that root of trust is required. Using the Luna USB HSM 7 is as simple as connecting it to a client with the correct Luna HSM Client components installed.

Self-Contained

The Luna USB HSM 7 can be operated entirely from the Luna HSM Client computer. Its built-in touchscreen allows you to perform all multifactor quorum authentication and iKey management operations locally, with no need to connect a Luna PED.

Single-partition

The Luna USB HSM 7 is a single-partition HSM. Access to the partition is managed by a special access control role. The Luna USB HSM 7 offers hardware accelerated RSA algorithms that can be used in the development of solutions for resource constrained environments (devices like smart phones, tablets, etc.), without the need to purchase additional licenses.

Cost Effective

Like the other Luna HSMs, the Luna USB HSM 7 securely stores cryptographic keys in its hardware; sensitive information never leaves the HSM protection. The Luna USB HSM 7 provides PKCS#11-compliant cryptographic services for applications running on the client in a secure and tamper-proof hardware package. Leveraging a Luna USB HSM 7 in your appliance or service represents a cost effective way to bring FIPS-validated solutions to market.

Advisory Notes

This section highlights important issues you should be aware of before upgrading from Luna USB HSM G5.

FIPS Changes in Luna USB HSM 7 Firmware 7.7.2 and Newer

New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), to comply with FIPS SP800-131a Rev2, published in March 2019. Consider these functional changes when migrating from Luna USB HSM G5.

Mechanisms not permitted to wrap objects in FIPS mode

The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):

Mechanisms not permitted to sign data in FIPS mode

The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_SHA1

>CKM_ECDSA_SHA1

>CKM_SHA1_RSA_PKCS

>CKM_SHA1_RSA_PKCS_PSS

>CKM_SHA1_RSA_X9_31

Mechanisms approved for use in FIPS mode

The following mechanisms are now approved for use in FIPS mode:

>CKM_SHA3_224_RSA_PKCS

>CKM_SHA3_224_RSA_PKCS_PSS

>CKM_SHA3_256

>CKM_SHA3_256_DSA

>CKM_SHA3_256_RSA_PKCS

>CKM_SHA3_256_RSA_PKCS_PSS

>CKM_SHA3_384

>CKM_SHA3_384_DSA

>CKM_SHA3_384_RSA_PKCS

>CKM_SHA3_384_RSA_PKCS_PSS

>CKM_SHA3_512

>CKM_SHA3_512_DSA

>CKM_SHA3_512_RSA_PKCS

>CKM_SHA3_512_RSA_PKCS_PSS

3DES Usage Counter

3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^¹⁶ 8-byte blocks of data when the HSM is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects. The CKA_BYTES_REMAINING attribute cannot be viewed if the HSM/partition is not in FIPS approved configuration.

The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.



	SUPPORT	LEGAL
Luna USB HSM 7 Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-04-17 09:36:26 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information