The Luna Cloud HSM client bundle is updated to include the 10.8.0 Universal Client. Users are encouraged to upgrade to this latest client version and ensure it is supported in accordance with the Universal Client Supported Versions with Luna Cloud HSM table.

See Upgrade Client for more information about upgrading your client.

Changed 

The `AuthTokenConfigURI` parameter in the Chrystoki.conf and crystoki.ini configuration file is updated to directly reference the updated endpoint that comes as the result of the migration to the One Welcome Identity Platform.

Client version 10.8.0 will be required for hybrid HA group operations between Luna Network HSM and Luna Cloud HSM when the Luna Cloud HSM service is upgraded to FW 3.0.

Bugs fixed 

Resolved an issue in the 10.7.2 client where the command cmu verifyhsm fails. 

Resolved an issue with previous versions of the support tool "lch-support-linux-64bit" and "lch-support-win-64bit" that generated false failures as a result of differences with the One Welcome Identity Platform. 

Firmware 3.0 will be released from Thales Data Protection on Demand for Luna Cloud HSM services in two stages.

The first release of Firmware 3.0 will be available by the end of the second half of 2025 and will be a non-FIPS release.

The second release of Firmware 3.0 will be available by the end of the second half of 2026 and will be a FIPS certified release.

See Firmware 3.0 CRN for more information about the new features and enhancements for firmware 3.0. Due to new requirements in the FIPS 140-3 certification there are numerous changes incorporated with this release. 

Added 

Hybrid with Luna On-Prem

-> After upgrading to FW 3.0, Hybrid HA operations with a Luna Network HSM will require Luna Client UC10.8.0 or higher. Using a client version prior to 10.8.0 will result in CKR_FUNCTION_NOT_SUPPORTED returned when attempting to login to a Hybrid HA group.   

Deprecation of CPv1 Cloning

-> CPv1 has been removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode.

ECC Curves

-> The user can now update the ECC curves without disabling the policy on FW upgrade if the module is configured in ‘FIPS mode’.

Changes due to FIPS 140-3 Certification

-> All pre-hashed verify operations will be blocked.

-> RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed, notably the mechanism CKM_RSA_PKCS for encrypt/decrypt/wrap/unwrap. Other mechanisms might now prohibit forward operations (new encryption or signing or wrapping,) while continuing to permit others (decrypt/unwrap) to support legacy situations. 

-> Signature creation for Curve448 and Curve25519 (ECDH) are blocked.

-> Cloning encryption is now ECC-based (formerly RSA).

-> EFP/EFT is now mandated at Level 3 for FIPS 140-3. 

-> New restrictions have been added to some mechanisms when the HSM is in FIPS mode. (See Firmware 3.0 CRN  for complete list.)

Error Messages

The following error messages are appearing when "partition showinfo" is run in lunacm:
0x82 (CKR_OBJECT_HANDLE_INVALID)
SMK OUIDs are not available
These errors are appearing in FW 3.0 however it does not affect the performance of the release. This has not appeared in previous FW releases.

Thales Data Protection Demand has updated the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome Identity Platform in the Europe region. The North America region was migrated on February 22nd, 2025. 

This update enables the platform to provide modern authentication options to users while simplifying logins for users that manage multiple tenants on the platform. Feature updates include: 

• Improved login flow 
• Improved registration flow 
• Improved user account management flows 
• Added method to switch between tenants 
• Removed vanity URLs from tenants 
• Removed vanity service provider registration pages 

North America users can now access DPoD through the login portal at https://welcome.dpondemand.io. You will need to register a new MFA token on the initial login.  

We recommend that all Luna Cloud HSM users download a new client to ensure continued connection and performance following the migration. For more information see Upgrade Client. If you have additional questions about the migration see the DPoD IDP Migration FAQ. 

Please be aware of the following known issue when using the new login portal: 

Issue: During the login process TOTP authentication can fail and the error message: "Service temporarily unavailable, please try again later" displays.  
Workaround: Click Go back in the user interface and reenter the TOTP or enter a new TOTP. 

Thales Data Protection Demand has updated the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome Identity Platform in the North America region. The Europe region will be migrated on March 8th, 2025. 

This update enables the platform to provide modern authentication options to users while simplifying logins for users that manage multiple tenants on the platform. Feature updates include: 

• Improved login flow 
• Improved registration flow 
• Improved user account management flows 
• Added method to switch between tenants 
• Removed vanity URLs from tenants 
• Removed vanity service provider registration pages 

North America users can now access DPoD through the login portal at https://welcome.dpondemand.io. You will need to register a new MFA token on the initial login.  

We recommend that all Luna Cloud HSM users download a new client to ensure continued connection and performance following the migration. For more information see Upgrade Client. If you have additional questions about the migration see the DPoD IDP Migration FAQ. 

Please be aware of the following known issue when using the new login portal: 

Issue: During the login process TOTP authentication can fail and the error message: "Service temporarily unavailable, please try again later" displays.  
Workaround: Click Go back in the user interface and reenter the TOTP or enter a new TOTP. 

Thales is changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome Identity Platform. This enables the platform to provide modern authentication options to users as well as simplifying logins for users that manage multiple tenants on the platform.

Thales will migrate each region per the schedule below.

• North America: February 22, 2025
• Europe: March 8, 2025

A maintenance window with exact timing for the migrations and service impacts will be shared through the DPoD Status Page. We recommend subscribing to the status page to be notified of any updates or schedule changes.

After the migration DPoD will be accessible through the new login URL - https://welcome.dpondemand.io, and users will receive instructions to register a new MFA OTP with their device on their first login.

If you have additional questions regarding the IDP migration to One Welcome, please consult the DPoD IDP Migration FAQ on thalesdocs.com. 

Early in 2025 Thales Data Protection on Demand (DPoD) will be changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. New Certificate authority CRLs and OCSPs will be added.  

For more information about the IDP migration see the DPoD IDP Migration FAQ.

Thales Data Protection on Demand now provides access to the following CipherTrust use cases through the  CipherTrust Data Security Platform Service: 

• CipherTrust Cloud Key Management 
• CipherTrust Transparent Encryption 
• Live Data Transformation 
• Ransomware Protection

Early in 2025 Thales Data Protection on Demand (DPoD) will be changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. To ensure continued network connectivity between your Luna Cloud HSM client and the service partition please ensure that you update your include lists to allow the Thales OneWelcome fully qualified domain names. The Luna Cloud HSM data centers are configured with floating IP addresses and as a result of this configuration we do not support using static IP addresses or hardcoded IP addresses to access the services. 

For more information about the IDP migration see the DPoD IDP Migration FAQ. For more information about configuring and troubleshooting your client connection see Client Network Connectivity and Troubleshooting the Client Connection.

Thales is pleased to announce that public list pricing for the Data Protection on Demand (DPoD) marketplace is now available. This means you can easily view list prices for our growing range of market-leading Thales Data Security solutions, including Luna HSM, CipherTrust Data Security Platform and payShield HSM. 

Pricing: 

Pricing is available for all Thales services, and the list prices are now visible on the marketplace. For those services that offer more than one plan, the pricing stated includes the basic plan.  For partner services, please contact the relevant partners. Please note that our online list pricing is currently displayed in Euros only, other currencies are to follow later. Thales continues to offer DPoD services in a range of currencies and, billing and quoting can be completed in your preferred currency. Simply contact us, and we will provide you with a customized quote for your specific needs and location. 

Billing Options: 

As a reminder, DPoD offers flexible billing plans to meet your specific data protection needs. Choose from Full Upfront, Annual Upfront and Monthly Arrears billing when quoting DPoD options. 

Try Before You Buy: 

Remember, before you sign up take advantage of our free trials and experience the power of the DPoD marketplace firsthand. Test our solutions without commitment and see how they can help you protect your data. 

For more information see the Thales DPoD Marketplace.

Thales Data Protection on Demand (DPoD) will be changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform. 

For more information about this upcoming change and potential impacts to you please see the DPoD IDP Migration FAQ.