Luna HSM Firmware 7.7.0

Luna HSM firmware 7.7.0 was released in October 2020. It is included in the Luna Network HSM appliance software 7.7.0 secure package. It includes bug fixes and updated FIPS compliance requirements.

>Download Luna Network HSM Appliance Software 7.7.0 (includes firmware update to Luna HSM Firmware 7.7.0)

Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090

This is the most recent firmware version certified under the Common Criteria standard. The certificates are posted here:

>https://www.commoncriteriaportal.org/files/epfiles/CC-20-195307.pdf

>CC Certificate -- Thales Luna K7 HSM

This release is certified under the eIDAS standard and the certificate is posted here:

>https://www.tuv-nederland.nl/assets/files/cerfiticaten/2021/02/eidas-certificate-luna-k7-20-195307-2.pdf

New Features and Enhancements

Luna HSM firmware 7.7.0 includes the following new features and enhancements:

Scalable Key Storage

Scalable Key Storage (SKS) is an optional feature that allows off-board storage of keys and objects in quantities greater than the capacity of an HSM - virtually unlimited storage, for use with your RSS (Remote Signing and Sealing) and other applications that require thousands or millions of keys. An SKS Master Key (SMK, which never leaves the HSM) securely encrypts extracted keys and objects, such that they remain within the HSM's security envelope, and can be reinserted (decrypted inside the HSM) for immediate use by your application.

Preserves key attributes through the life-cycle of a key.

Provides the option of new SKS function, or classic Luna "keys always in hardware" operation, on a partition-by-partition basis.

This feature also requires Luna Network HSM Appliance Software 7.7.0 or newer, and Luna HSM Client 10.3.0 or newer.

Per-Key Authorization

Per-Key Authorization (PKA) allows granular control of key material for applications requiring high assurance by providing authorization on a per-key basis.

This feature also requires Luna Network HSM Appliance Software 7.7.0 or newer, and Luna HSM Client 10.3.0 or newer.

Release 7.7.0 Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.7.0.

Luna HSM firmware 7.7.0 and newer requires updated PED firmware

Luna HSM firmware 7.7.0 introduced new security communication protocols for compliance with current eIDAS, Common Criteria, and FIPS standards. You require one of the following minimum PED firmware versions, depending on your Luna PED hardware:

>USB-powered Luna PED: Luna PED Firmware 2.9.0 or newer

>DC-powered Luna PED: Luna PED Firmware 2.7.4 or newer

These Luna PED firmware versions are backwards-compatible with older Luna HSM firmware, but a Luna HSM with firmware 7.7.0 or newer will refuse connection to a Luna PED with older firmware (LUNA_RET_PED_UNSUPPORTED_PROTOCOL error).

CAUTION!   Ensure that you update your Luna PED firmware before your Luna HSM firmware so that you can authenticate roles on the HSM during the update process.

Special Considerations for Updating to Firmware 7.7.0

Ensure that the Network HSM Appliance BIOS and BMC Firmware Update Patch is installed before you begin the firmware update - the update proceeds only if the BIOS and BMC F/W patch has been applied. The update will take longer than usual firmware updates, due to conversion of all existing application partitions to V0, with additional attributes applied to existing keys, and memory and partition sizes increased to accommodate the other changes. If you have a small number of keys, expect the firmware update to take at least 15 minutes. For large numbers of keys, the update and conversion could take as much as a few hours. Use independent uninterruptible power supplies and do not stop or restart the HSM during the update process.

Firmware 7.7.0 Valid Update Paths

You can update the Luna HSM firmware to version 7.7.0 from the following previous versions:

>7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1, 7.4.2