Luna Backup HSM 7 Firmware 7.7.2

Luna Backup HSM 7 firmware 7.7.2 was released in August 2022. It comes pre-installed on the refreshed hardware version of the Luna Backup HSM 7 v2, and is available as a field update to the original Luna Backup HSM 7.

>Download Luna Backup HSM 7 firmware 7.7.2

This version also comes ready to install with Luna Network HSM appliance software 7.8.x. (see Updating the Appliance-Connected Luna Backup HSM 7 Firmware).

New Features and Enhancements

Luna Backup HSM firmware 7.7.2 includes the following new features and enhancements:

Luna Backup HSM 7 v2

Thales is pleased to announce the availability of the new Luna Backup HSM 7 v2 – a full-featured, hand-held, USB-attached backup HSM that includes an informational full-color display. The Luna Backup HSM 7 connects easily to a client workstation using the included USB 3.0 Type C cable, and includes a universal 5V external power supply, which may be required to power the device in some instances.

This refreshed v2 model includes a USB-C port, which, combined with a USB-A to USB-C adapter, allows you to insert PED keys directly into the HSM, greatly simplifying the multifactor quorum authentication procedure and, depending on your configuration, eliminating the need for a Luna PED in backup/restore operations.

See Luna Backup HSM 7 v2.

Restore Keys From Pre-7.7.0 Partitions to V0 Partitions

Luna Backup HSM 7 firmware 7.7.2 allows you to restore objects backed up from partitions with firmware older than Luna HSM Firmware 7.7.0 to V0 partitions with partition policy 42: Allow CPv1 set to 1.

Advisory Notes

This section highlights important issues you should be aware of before deploying Luna Backup HSM 7 firmware 7.7.2.

Minimum Password Length is Increased to 8 Characters

Luna Backup HSM 7 firmware 7.7.2 enforces minimum 8-character passwords. The previous limit was 7 characters. If you were using a 7-character password before updating to firmware 7.7.2, you can encounter problems with some operations. For example, soft initialization of the HSM will fail because the new firmware will not allow you to keep the old 7-character password. To avoid losing access to your existing backups, ensure that the HSM SO password is at least 8 characters before you update the Backup HSM firmware to 7.7.2.

Configuring the Luna Backup HSM 7 for FIPS Compliance

Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.

When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.

CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.

If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.

NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.

To configure the Luna Backup HSM 7 for FIPS compliance

1.On the Luna HSM Client computer, run LunaCM.

2.Set the active slot to the Luna Backup HSM 7.

lunacm:> slot set -slot <slot_id>

3.Log in as Backup HSM SO.

lunacm:> role login -name so

4.Set HSM policy 55: Enable Restricted Restore to 1.

lunacm:> hsm changehsmpolicy -policy 55 -value 1

5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.

lunacm:> hsm showinfo

*** The HSM is in FIPS 140-2 approved operation mode. ***

CKR_CONTAINER_OBJECT_STORAGE_FULL Error When Backing Up Release 5.x or 6.x Partitions to a Luna Backup HSM 7

When using the Luna Backup HSM 7 to backup objects from partitions hosted on HSMs running older firmware, differences in the size of the metadata associated with the objects may cause the backup partition to become full before all of the objects are backed up, resulting in the following error message before all of the objects have been backed up:

<CKR_CONTAINER_OBJECT_STORAGE_FULL>

If you receive this message when backing up a user partition, you can use the LunaCM partition resize command to resize the backup partition so that it has enough space to accommodate the remaining objects, then use the partition archive backup command with the -append option to add the skipped objects to the backup.



	SUPPORT	LEGAL
Luna Network HSM Documentation © Copyright 2001-2023, Thales Group Last Updated: 2023-11-30 15:00:48 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information