Luna Hardware Security Modules

Hardware Security Modules (HSMs) are dedicated systems that physically and logically secure cryptographic keys and cryptographic processing. The purpose of an HSM is to protect sensitive data from being stolen by providing a highly secure operation structure. HSMs are fully contained and complete solutions for cryptographic processing, key generation, and key storage. They are purpose-built appliances that automatically include the hardware and firmware (i.e., software) necessary for these functions in an integrated package.

An HSM manages cryptographic keys used to lock and unlock access to digitized information over their life-cycle. This includes generation, distribution, rotation, storage, termination, and archival functions. An HSM also engages in cryptographic processing, which produces the dual benefits of isolation and offloading cryptographic processing from application servers.

HSMs are available in the following forms:

>Standalone network-attached appliances, as described in Luna Network HSM 7.

>Hardware cards that plug into existing network-attached systems, as described in Luna PCIe HSM 7.

>Portable USB-connected HSMs that connect to a client system, as described in Luna USB HSM 7.

>USB-connected backup HSMs, as described in Luna Backup HSM.

For a comparison of the Luna HSM variants, and descriptions of the available models:

>Comparing the Luna HSM Variants

>Luna HSM Models

For a high-level overview of the distinctive features of the Luna HSM, see Luna HSM Features.

Luna Network HSM 7

Luna Network HSM 7 stores, protects, and manages sensitive cryptographic keys in a centralized, high-assurance appliance, providing a root of trust for sensitive cryptographic data transactions. Deployed in more public cloud environments than any other HSM, Luna Network HSM 7 works seamlessly across your on-premises, private, public, hybrid, and multi-cloud environments. Luna Network HSM 7 is the most trusted general purpose HSM on the market, and with market leading performance, true hardware-based security, and the broadest ecosystem available, Luna Network HSM 7 is at the forefront of HSM innovation.

Ethernet-attached

An Ethernet-attached HSM, Luna Network HSM 7 is designed to protect critical cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. It includes many features that increase security connectivity and ease-of-administration in dedicated and shared security applications.

Integrated Cryptographic Engine

The Luna Network HSM 7 can be shared between multiple applications or clients connected to it through a network. In the same way that mail and web servers provide email or web pages to authenticated clients, the Luna Network HSM 7 offers powerful key management and high-performance cryptographic processing to clients on the network. To achieve this, the Luna Network HSM 7 includes an integrated FIPS 140-2-validated HSM and the Luna K7 Cryptographic Engine. Additionally, the Luna Network HSM 7 adds a secure service layer that allows the Cryptographic Engine to be shared between network clients.

Partitions

The Luna Network HSM 7 allows its single physical HSM to be divided into logical HSM partitions, each with independent data, access controls, and administrative policies. HSM partitions can be thought of as ‘safe deposit boxes’ that reside within the Cryptographic Engine’s ‘vault’. The vault itself offers an extremely high level of security for all the contents inside, while the safe deposit boxes protect their specific contents from people who have access to the vault. HSM partitions allow separate data storage and administration policies to be maintained by multiple applications sharing one HSM without fear of compromise from other partitions residing on it. Each HSM partition has a special access control role who manages it. Depending on the model, a Luna Network HSM 7 can contain up to 100 partitions.

Dedicated Clients

HSM partitions can be dedicated to a single Client, or multiple Clients that share access to a single HSM partition. Clients are applications, or application servers, that connect to the Luna Network HSM. Examples of possible clients are an encrypted database, a secure web server, or a Certificate Authority (CA); all these applications require the storage of sensitive cryptographic data or can benefit from the increased security and cryptographic performance offered by the Luna Network HSM 7. Each Client is assigned to one or more specific HSM partitions. Clients authenticate to the Luna Network HSM 7 with a digital certificate and unique HSM partition challenge.

Employ the HSM as a Service

Luna Network HSM 7 empowers organizations to take a best practices approach to cryptographic key security by offloading cryptographic processes to a centralized, high-assurance key vault that can be deployed as a service. Only the Luna Network HSM 7 is able to provide trusted key ownership and control, with full multi-tenancy across on-premises, private, public, hybrid, and multi-cloud environments.

Luna PCIe HSM 7

Luna PCIe HSM 7 stores, protects, and manages sensitive cryptographic keys in a small form factor PCIe card, providing a root of trust for sensitive cryptographic data transactions. With Luna PCIe HSM 7 cryptographic processes are offloaded to a high-performance cryptographic processor. Luna PCIe HSM 7 easily embeds in servers and security appliances for an easy-to-integrate and cost-efficient solution for FIPS 140-2 validated key security. Luna PCIe HSM 7 benefits from a diverse feature set that enables greater centralized control through secure remote management, transport, and backup.

Single-partition

The Luna PCIe HSM 7 is a single-partition HSM card that you can embed in a pre-existing network-attached system. Access to the partition is managed by a special access control role. The Luna PCIe HSM 7 offers hardware accelerated ECC algorithms that can be used in the development of solutions for resource constrained environments (devices like smart phones, tablets, etc.), without the need to purchase additional licenses. ECC offers high key strength at a greatly reduced key length compared to RSA keys; higher security with fewer resources.

Cost Effective

Like the other Luna HSMs, the Luna PCIe HSM 7 securely stores cryptographic keys in its hardware; sensitive information never leaves the HSM protection. The Luna PCIe HSM 7 provides PKCS#11-compliant cryptographic services for applications running on the server in a secure and tamper-proof hardware package. Leveraging a Luna PCIe HSM 7 in your appliance or service represents a cost effective way to bring FIPS 140-2, Common Criteria, and eIDAS-validated solutions to market.

Luna PCIe HSM 7 empowers organizations to take a best practices approach to cryptographic key security by offloading cryptographic processes to a dedicated small form factor cryptographic processor. Luna PCIe HSM 7 is the highest performing embedded HSM on the market.

Luna USB HSM 7

Luna USB HSM 7 stores, protects, and manages sensitive cryptographic keys in a small form factor handheld device, providing a root of trust for sensitive cryptographic data transactions. Luna USB HSM 7 connects directly to a client workstation to provide PKCS#11-compliant cryptographic services, and can be secured safely as an offline root of trust. Luna USB HSM 7 provides easy multifactor quorum authentication, using USB PED key connected directly to the HSM and its built-in touchscreen to authenticate critical roles.

Portable

The Luna USB HSM 7's hand-held form factor and USB connectivity make it the most portable model of Luna HSM. This allows you to easily store your important keys and connect the device to any client to perform cryptographic operations.

Easy to Store and Use

The Luna USB HSM 7 can be stored indefinitely, making it ideal to safely store an offline root of trust, and retrieve from storage only when that root of trust is required. Using the Luna USB HSM 7 is as simple as connecting it to a client with the correct Luna HSM Client components installed.

Self-Contained

The Luna USB HSM 7 can be operated entirely from the Luna HSM Client computer. Its built-in touchscreen allows you to perform all multifactor quorum authentication and PED key management operations locally, with no need to connect a Luna PED.

Single-partition

The Luna USB HSM 7 is a single-partition HSM. Access to the partition is managed by a special access control role. The Luna USB HSM 7 offers hardware accelerated RSA algorithms that can be used in the development of solutions for resource constrained environments (devices like smart phones, tablets, etc.), without the need to purchase additional licenses.

Cost Effective

Like the other Luna HSMs, the Luna USB HSM 7 securely stores cryptographic keys in its hardware; sensitive information never leaves the HSM protection. The Luna USB HSM 7 provides PKCS#11-compliant cryptographic services for applications running on the client in a secure and tamper-proof hardware package. Leveraging a Luna USB HSM 7 in your appliance or service represents a cost effective way to bring FIPS-validated solutions to market.

Luna Backup HSM

The Luna Backup HSM allows you to back up the objects in your Network, PCIe, or USB application partitions and store the object archive in a secure HSM. Luna Backup HSMs are able to store objects only. They do not provide the ability to access the objects to perform cryptographic operations. See Flexible Backups for more information.

Two versions are available, as detailed in Backup HSM Models.

Comparing the Luna HSM Variants

Luna Network HSM 7 Appliance Luna PCIe HSM 7 Luna USB HSM 7

>Field-upgradable to 100 partitions

>Includes hardened OS

>High security, stable networking, and environmental protection via built-in chassis

>Routine firmware and software updates

>Automatic system logging

>Limited to 1 partition

>Compatible with external OS: Windows, Linux

>Allows custom and flexible chassis intrusion security

>Routine firmware updates

>Light and low-cost

>Limited to 1 partition

>Compatible with external OS: Windows, Linux

>Portable, hand-held device with touchscreen PIN entry

>Routine firmware updates

A database server using an HSM would require one HSM, while a secure website using SSL on the same network would require a second, separate HSM. As the number of secure applications requiring an HSM grows, so does the number of ordinary HSMs deployed. The Luna Network HSM 7 bypasses this limitation by implementing multiple virtual HSMs, or HSM Partitions on a single HSM server. A Luna PCIe HSM 7 is useful for cases that need limited, but highly secure, data protection. A Luna Network HSM 7 and its appliance are useful for cases that require a more complex security infrastructure, like cloud computing.

Luna HSM Models

Both the Luna Network HSM 7 and the Luna PCIe HSM 7 come in different models with different performance capabilities. Which one you choose to use will depend on your organization's security needs.

NOTE   The FIPS levels below indicate the standard to which the product is designed. Always confirm the HSM certification status before deploying an HSM in a regulated environment.

Luna A (password-authenticated, FIPS Level 3) Models

Luna A models offer secure storage of your cryptographic information in a controlled and easy-to-manage environment. Luna A models protect your proprietary information by using password authentication. Depending on your needs, Luna A models are available at several performance levels, as follows:

Model Luna Network HSM 7 Luna PCIe HSM 7
Luna A700

>Standard performance

>2MB memory

>Password-based authentication

>5 partitions

>Standard performance

>2MB memory

>Password-based authentication

Luna A750

>Enterprise-level performance

>16MB memory

>Password-based authentication

>5 partitions, upgradable to 20

>Enterprise-level performance

>16MB memory

>Password-based authentication

Luna A790

>Maximum performance

>32MB memory

>Password-based authentication

>10 partitions, upgradable to 100

>Maximum performance

>32MB memory

>Password-based authentication

Luna S (multifactor quorum-authenticated, FIPS Level 3) Models

Luna S models offer secure storage of your cryptographic information in a controlled and highly secure environment. Luna S models protect your proprietary information by using multifactor quorum (PED) authentication. Depending on your needs, Luna S models are available at several performance levels, as follows:

Model Luna Network HSM 7 Luna PCIe HSM 7
Luna S700

>Standard performance

>2MB memory

>Multifactor Quorum authentication

>5 partitions

>Standard performance

>2MB memory

>Multifactor Quorum authentication

Luna S750

>Enterprise-level performance

>16MB memory

>Multifactor Quorum authentication

>5 partitions, upgradable to 20

>Enterprise-level performance

>16MB memory

>Multifactor Quorum authentication

Luna S790

>Maximum performance

>32MB memory

>Multifactor Quorum authentication

>10 partitions, upgradable to 100

>Maximum performance

>32MB memory

>Multifactor Quorum authentication

Backup HSM Models

Backup HSMs offer secure backups of your Luna HSM user partitions. They can be initialized in either multifactor quorum-authenticated or password-authenticated mode:

>multifactor quorum-authenticated backup HSMs can back up multifactor quorum-authenticated partitions.

>password-authenticated backup HSMs can back up password-authenticated partitions.

Two versions are available:

>the Luna Backup HSM G5 desktop model

>the Luna Backup HSM 7 is available in the following models. Each model allows you to back up up to 100 partitions. In-field storage upgrades are not available.

B700 32 MB storage, up to 100 partitions of the same authentication type
B750 128 MB storage, up to 100 partitions of the same authentication type
B790 256 MB storage, up to 100 partitions of the same authentication type

Luna HSM Features

Luna HSMs have a variety of features that distinguish them, as summarized below:

Security

Luna HSMs are designed and manufactured to high security standards, to comply with FIPS Level 3 and Common Criteria certifications, and updated validations are sought whenever major changes/improvements are introduced. Luna HSMs protect your data from unwanted tampering with secure anti-intrusion and vulnerability detection mechanisms.

See Security for details.

Redundancy

Luna HSMs are equipped with physical features and configurations that enable auto-recovery of your HSMs.

See Redundancy and Reliability for details.

Access control

Luna HSM products offer multiple identities, some mandatory and some optional, that you can invoke in different ways to map to roles and functions in your organization.

See User Access Control for details.

Authentication

Luna Network HSM 7s and Luna PCIe HSM 7s are factory-configured to be either:

>password-authenticated (single-factor authentication)

>multifactor quorum-authenticated (physical PED key authentication with option for quorum authentication)

The Luna USB HSM 7 can be initialized using either method, to be compatible with your existing Luna HSM deployment.

See Authentication for details.

Capabilities and policies

Luna HSMs, and partitions within them, are characterized by capabilities that are set at the factory or added by means of capability updates, and that are adjusted by means of settable policies that correspond to some of them.

See Capabilities and Policies for details.

Backups

Luna HSMs contain sensitive material that, if lost, could be detrimental. The Luna Backup HSM and Remote Backup Service securely back up and store such information that can be restored in case of failures in primary HSM functioning.

See Flexible Backups for details.

Logging and reporting

Luna HSMs are equipped with performance monitoring and audit logging features to monitor security and provide audits of HSM activity.

See Logging and Reporting for details.

Functionality Modules

Functionality Modules (FMs) consist of your own custom-developed code, loaded into and operating within the logical and physical security of a Luna PCIe HSM 7 as part of the HSM firmware. FMs allow you to customize your Luna PCIe HSM 7's functionality to suit the needs of your organization.

See Functionality Modules for details.