Taurus FM
This integration guide walks you through deploying and securing the Taurus Functional Module (FM) on a Thales Luna Network HSM using the Luna client. The process uses a controlled, containerized environment to build, sign, and deploy the FM in a consistent and repeatable manner.
By integrating the Taurus FM with the HSM, sensitive cryptographic operations such as transaction signing and key handling are executed within a hardened, tamper-resistant boundary. The HSM enforces strict security controls, while the Luna client enables secure communication, partition management, and FM lifecycle operations, ensuring that all keys and processes remain protected with hardware-backed security.
The key benefits of this integration are:
-
Secure build, signing, and deployment of the Taurus FM within a controlled and verifiable environment
-
Protection of cryptographic keys and execution logic inside a tamper-resistant HSM boundary
-
End-to-end secure communication between client and HSM using NTLS, preventing interception or manipulation of sensitive data
-
Full lifecycle control of the Taurus FM, including validation, upgrade, and removal
-
Operational consistency through containerized tooling, ensuring repeatable and reliable deployments
-
Enhanced security posture by isolating critical cryptographic operations from application and host environments
Tested Platforms
This integration has been tested with Taurus FM deployment on the Thales Luna Network HSM using the Luna client and associated tooling.
| Platforms Tested | Luna Client Version | HSM Firmware Version | Taurus FM Version | Container / OS Environment | Validation Conditions |
|---|---|---|---|---|---|
| Fedora 43 (Container) | 7.x | 7.8.x/7.9.x | Taurus-PROTECT v2.x | Podman (Privileged Mode) | NTLS enabled, FM policies enabled, partition configured, container workflow |
| RHEL 8/RHEL 9 | 7.x | 7.x | Taurus-PROTECT v2.x | Native/Containerized | NTLS enabled, FM policies enabled, partition configured |
All FM build and signing operations are performed within the container to ensure consistency across deployments.
Ensure compatibility between the Luna client, HSM firmware, and Taurus FM versions. Mismatched versions may result in FM validation or deployment failures.
Prerequisites
Before proceeding with the integration, ensure that the following requirements are met for deploying the Taurus FM on the Thales Luna Network HSM:
Prepare the HSM Environment
Ensure that the Thales Luna Network HSM is properly initialized and ready for Taurus FM deployment:
The HSM must be powered on, accessible over the network, and reachable from the client system.
Administrative access to the HSM must be available (for example, via SSH using the admin account).
The HSM must be initialized, and secure transport mode must be disabled if applicable.
Network configuration must be completed, including IP assignment and hostname configuration.
NTLS must be enabled and bound to the appropriate network interface to allow secure client communication.
At least one partition must be created and initialized on the HSM for Taurus FM operations.
Partition roles must be configured, including Partition Officer (PO), Crypto Officer (CO), and Crypto User (CU).
Ensure that connectivity between the Luna client and the HSM is verified using the Luna client tools (for example, lunacm and ccfg).
Ensure that the HSM is not operating under restrictive policies that would prevent Functional Module deployment.
Verify Host and Container Environment Readiness
Ensure that the client system is properly prepared to build, sign, and deploy the Taurus FM using the Luna client and associated tooling.
A Linux-based system (such as RHEL, Ubuntu, or equivalent) must be available for running the client and container environment.
Podman or Docker must be installed and properly configured on the host system.
The host system must have network connectivity to the Thales Luna Network HSM, including required ports for SSH and PKCS#11 communication.
The user must have sufficient privileges to run containers in privileged mode and access system devices (for example, /dev).
A working directory (for example, /taurus/hsmsop) must be available for storing configuration files, software packages, and Taurus FM artifacts.
The container environment must support installation of required development and system packages needed for FM build and signing operations.
All Taurus FM build and signing operations are performed inside a containerized environment to ensure consistency and repeatability.
Download Required Software and Taurus Artifacts
Ensure that the following software packages and artifacts are available before proceeding with the integration:
Download the appropriate version of the Luna client software from the Thales Customer Support Portal.
Download the required Luna HSM firmware and appliance software packages, ensuring compatibility with your target deployment version.
Obtain the Taurus FM binary (for example, taurus-protect-fm-v2.x.bin) from the Taurus team.
Organize all downloaded files under a structured directory (for example, /taurus/hsm_archive/) to simplify access during container-based operations.
Ensure compatibility between the Luna client version, HSM firmware, and Taurus FM binary. Mismatched versions may result in FM validation or deployment failures.
Refer to the official Thales Luna Network HSM documentation for supported upgrade paths and version compatibility before performing firmware or appliance updates.
Integrating Taurus with Luna HSM
This section provides the step-by-step procedure to deploy the Taurus Functional Module (FM) on the Thales Luna Network HSM using the Luna client. The workflow progresses from environment setup and HSM configuration to firmware updates and secure FM deployment, ensuring a consistent and successful integration.
Configure Luna client and partition
Initialize and configure the HSM
Upgrade firmware and appliance software
Set Up the Environment
This section describes how to prepare the containerized environment and install the Luna client required for Taurus FM operations.
Pull the Fedora base image:
podman pull fedora:43
Create a working directory for the integration setup:
cd /taurus/hsmsop
Create the container and mount the required directories:
podman create \ -v /taurus/hsm_archive/7.4:/hsm-archive \ -v /taurus/kc:/kc \ -v /dev:/dev \ --mount type=devpts,target=/dev/pts \ --net=host --uts=host --pid=host --ipc=host \ -it --privileged \ --name tg-hsm-luna-740 fedora:43
Start and access the container:
podman start tg-hsm-luna-740 podman exec -ti tg-hsm-luna-740 bash
Update the system and install required dependencies:
dnf -y update dnf -y install findutils gcc git hostname iputils make nmap procps putty socat traceroute which ssss gpg openssl vim tar openssl-devel pinentry python3 zip unzip python3-devel tree vim wipe fedora-packager rpmdevtools gcc rng-tools glibc.i686
Restart the container to ensure all packages are properly initialized:
exit podman restart tg-hsm-luna-740 podman exec -ti tg-hsm-luna-740 bash
Copy the Luna client software archive into the container workspace:
mkdir /taurus cp -v /hsm_archive/* /taurus/ cd /taurus
Extract the client SDK package:
unzip 7.4.0/SDKs.zip
Install the Luna client software:
cd 7.4.0/64 ./install.sh
Follow the installation prompts and select the required components based on your environment.
Add the Luna client binaries to the system path:
echo export PATH="/usr/safenet/lunaclient/bin:$PATH" >> ~/.bashrc source ~/.bashrc
All Taurus FM build and signing operations are performed within this container to ensure a consistent execution environment.
At this stage, the container environment and Luna client should be fully operational before proceeding to client configuration.
Configure Luna Client and Partition
This section describes how to configure the Luna client, establish connectivity with the HSM, and initialize a partition with the required roles for Taurus FM operations.
Launch the Luna client manager:
lunacm
Configure the client to connect to the HSM and assign the partition:
ccfg deploy -server <HSM_IP> -client <CLIENT_HOSTNAME> -partition <PARTITION_NAME>
Verify connectivity between the client and the HSM:
ccfg v
Confirm that the available slots and partitions are listed without errors.
Select the slot associated with the partition:
slot set -slot <SLOT_NUMBER>
Initialize the partition with a label and domain:
partition init -label <PARTITION_LABEL> -domain <PARTITION_DOMAIN>
Log in as the Partition Officer (PO):
role login -name po
Initialize the Crypto Officer (CO) role:
role init -name co
Log out of the current role:
role logout
Log in as the Crypto Officer (CO):
role login -name co
Change the initial password for the Crypto Officer:
role changepw -name co
Initialize the Crypto User (CU) role:
role init -name cu
Log out of the current role:
role logout
Log in as the Crypto User (CU):
role login -name cu
Change the initial password for the Crypto User:
role changepw -name cu
Log out of the current role:
role logout
(Optional) Enable partition policy required for FM verification (for newer firmware versions):
par changePo -pa <PARTITION_LABEL> -ps <PO_PASSWORD> -po 45 -v 1
Ensure that the partition is correctly initialized and accessible before proceeding to HSM configuration and FM deployment.
Initialize and Configure the HSM
This section describes how to initialize and configure the Thales Luna Network HSM for Taurus FM deployment.
Connect to the HSM using a serial interface:
sudo screen /dev/ttyUSB0 115200
Use the following settings:
-
Baud rate: 115200
-
Parity: None (N)
-
Data bits: 8
-
Stop bits: 1
-
Terminal: VT-100
-
Hardware flow control enabled
Log in as the admin user and change the default password when prompted:
admin
Ensure that the password meets the required complexity guidelines enforced by the HSM.
Configure the network interface and hostname:
network interface static -device eth0 \ -ip <HSM_IP> \ -netmask <NETMASK> \ -gateway <GATEWAY> network hostname <HSM_HOSTNAME>
Enable NTLS on the required network interface:
ntls bind eth0
If the HSM is in secure transport mode, disable it using the provided verification string:
hsm stm recover -randomuserstring <VERIFICATION_STRING>
Confirm the operation when prompted:
proceed
Initialize the HSM with a label:
hsm init -label <HSM_LABEL>
Log in as the HSM Security Officer (SO):
hsm login
Verify that the HSM is initialized and operational before proceeding.
Ensure that the network configuration and NTLS setup are correctly applied, as they are required for secure communication between the client and the HSM.
Prepare the HSM for FM Deployment
This section describes how to enable the required HSM policies to support Taurus FM deployment on the Thales Luna Network HSM.
Connect to the HSM as admin via SSH:
ssh admin@<HSM_IP>
Log in as the HSM Security Officer (SO):
hsm login
Display the current HSM policies:
hsm showpolicies
Enable the policy to allow Functionality Modules (FM):
hsm changepolicy -policy 50 -value 1
Enable the policy to allow partition PIN reset (if required):
hsm changepolicy -policy 15 -value 1
Enable SMFS auto-activation support:
hsm changepolicy -policy 51 -value 1
Reinitialize the HSM if prompted and log in again:
hsm init hsm login
Enabling policy 50 permanently allows Functionality Modules on the HSM and cannot be reversed. This operation may erase existing partitions and keys. Ensure that the HSM is in a clean or non-production state before proceeding.
After enabling the required policies, the HSM is ready for Taurus FM signing and deployment.
Deploy the Taurus FM
This section describes how to sign, upload, and load the Taurus Functional Module (FM) onto the Thales Luna Network HSM using the Luna client and associated tooling.
List the contents of the partition slot to verify existing keys:
cmu list -slot <SLOT_NUMBER>
Generate a key pair for FM signing if one does not already exist:
cmu generatekeypair \ -labelpublic taurus_pub \ -labelprivate taurus \ -keytype rsa \ -mech prime \ -modulusBits 2048 \ -sign 1 -verify 1 \ -slot <SLOT_NUMBER>
List the slot contents again and note the key handles for the public and private keys:
cmu list -slot <SLOT_NUMBER>
Create a self-signed certificate using the generated key pair:
cmu selfsigncertificate \ -slot <SLOT_NUMBER> \ -label taurus_cert \ -publichandle <PUBLIC_HANDLE> \ -privatehandle <PRIVATE_HANDLE> \ -c <COUNTRY> \ -cn taurus \ -serialnumber 1 \ -startdate <YYYYMMDD> \ -enddate <YYYYMMDD>
Export the certificate to the client file system:
cmu export -slot <SLOT_NUMBER> -label taurus_cert -outputfile=taurus.cert
Transfer the certificate to the HSM appliance:
scp taurus.cert admin@<HSM_IP>:
Sign the Taurus FM binary using the generated key:
mkfm \ -f /kc/taurusFM.bin \ -o /kc/taurusFM.fm \ -k <PARTITION_NAME>/taurus
Transfer the signed FM file to the HSM appliance:
scp /kc/taurusFM.fm admin@<HSM_IP>:
Connect to the HSM via SSH and log in as the HSM Security Officer (SO):
ssh admin@<HSM_IP> hsm login
Verify that the certificate and FM files are present on the appliance:
my file list
Load the Taurus FM into the HSM:
hsm fm load -certFile taurus.cert -fmFile taurusFM.fm
Restart the HSM to apply the FM:
hsm restart
Log in again as the HSM Security Officer:
hsm login
Activate the Secure Memory File System (SMFS):
hsm fm smfs activate
Verify the FM status:
hsm fm status
At this stage, the Taurus FM should be successfully loaded and active on the HSM.
Ensure that the correct partition, key labels, and certificate are used during the signing process. Mismatched keys or certificates will result in FM validation failure.
If the FM fails to load or activate, verify HSM policies, partition configuration, and certificate trust settings before retrying.
Validate the Integration
This section verifies that the Taurus FM has been successfully deployed and is operational on the Thales Luna Network HSM.
Check the status of the loaded Functional Module:
hsm fm status
Confirm that:
-
The Taurus FM is listed as active
-
No errors are reported during loading or activation
-
The FM version and status are correctly displayed
Verify that the HSM is accessible and responsive from the client environment:
lunacm
Ensure that the configured partition and slot are visible and accessible.
If the Taurus FM is not listed or errors are observed, review the FM deployment steps, HSM policies, and certificate configuration before retrying.
