CipherTrust Data Security Platform as a Service available through DPoD

The CipherTrust Data Security Platform as a Service (CDSPaaS) is now available for provisioning through Thales Data Protection on Demand.

For more information about CDSPaaS see CipherTrust Data Security Platform Services (CDSPaaS).

For more information about provisioning the service and getting started with CDSPaaS see Get Started with CipherTrust Data Security Platform Services.

Added support for additional Key Access Justification reason codes to the Key Broker for Google Cloud EKM service

The DPoD Key Broker for Google Cloud EKM service now supports the following Key Access Justification reason codes:

  • GOOGLE_RESPONSE_TO_PRODUCTION_ALERT
  • MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION

For more information about the service see Key Broker for Google Cloud EKM. For more information about the newly supported codes see Key Access Justification Reason Codes.

Subscriptions visible through the DPoD Portal

Thales Data Protection on Demand has made the following changes to how billing and service subscriptions work in DPoD:

  • The trial state no longer applies to the tenant, tenants are instead entitled to a 30-day evaluation period for each unique DPoD service type. The trial begins when you first create a new DPoD service of a service type and deleting the service does not stop or pause the trial.
  • The Service Elections submission and approval process remains unchanged, but it now triggers the conversion of trial subscriptions to production subscriptions or directly creates production subscriptions. When a service elections form is processed the selected service types become paid subscriptions.
  • Service providers, tenant administrators and application owners can review their subscription data using the Subscriptions tab in the DPoD GUI.
  • All services of a new service type provisioned after April 15th are "Trial" subscriptions, with a 30-day evaluation. 

Tenants that have an accepted Service Elections form will have the following changes: 

  • All paid subscriptions (DPoD Monthly, DPoD Term, Google) will be visible from the Subscriptions tab in the DPoD GUI.
  • All services created before April 15th under a service elections form become "Term" (or "Uncommitted" if the Term is expired) subscriptions.
  • All services created before April 15th and not under a service elections form become "Uncommitted" subscriptions.

Tenants that do not have an accepted Service Elections form will have the following changes:

  • All existing services become "Trial" subscriptions, beginning April 15th, with a 30-day evaluation. 

Note: If your tenant is unable to retrieve and display subscriptions please contact Thales support to resolve the issue. You will be unable to provision new services until the issue is resolved. 

CipherTrust Data Security Platform Beta in EU

The CipherTrust Data Security Platform is now visible in EU tenants as a beta service offering. Access to the beta service is restricted at this time. The beta service is disabled in all tenants that are not participating in the beta.

For more information about registering for the CipherTrust Data Security Platform beta please contact steve.kingston@thalesgroup.com.

Luna Cloud HSM Partition Cloning Fails with the 10.5 Client

Bugs Found 

  • DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
    Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
    -> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
    -> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.
    You can make the request by following this link:
    https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html

Updated Luna Cloud HSM Service Firmware Versions in NA and EU

FW 2.0 has now been FIPS approved. 

The NIST Certificate verifying that FW 2.0 is now FIPS approved can be found in this Cryptographic Module Validation Program link.

The firmware versions for Luna Cloud HSM Services operating in FIPS and non-FIPS NA and EU environments have been updated. The new firmware versions based on region and FIPS mode are as follows:

  • NA FIPS - 2.0
  • NA non-FIPS - 2.0.1
  • EU FIPS - 2.0
  • EU non-FIPS - 2.0.1 

In addition to the new releases, FW 2.0.1 also includes the following bug fixes:

  • LGX-4120 - Ed25519 was failing with CKR_ECC_UNKNOWN_CURVE. Ed25519 no longer fails with CKR_ECC_UNKNOWN_CURVE.
  • LKX-9788 - The DES3-CBC unwrapping mechanism was failing. DES3-CBC no longer fails during unwrapping.

10.5 Luna Cloud HSM Client

Version 10.5 of the HSM client is now available for download from Thales Data Protection on Demand for Luna Cloud HSM services. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide. See Upgrade Client for more information about upgrading your client.

Added

Universal Cloning

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

  • you have a Luna Client at version UC 10.5.0 or newer
  • you have Firmware at version 2.0 or newer
  • the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

More info can be found here: Universal Cloning

UC Dynamic UserID Loading

As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple Luna Cloud HSM service UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.

The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.

More info can be found here: UC Dynamic UserID

For more information about client features and enhancements and client advisory notes see 10.5 Client Customer Release Notes. See Known and Resolved Issues for more information about existing problems and available workarounds.

Universal Cloning

UC 10.5.0 will be available in production by 09/09/2022.

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

  • you have a Luna Client at version UC 10.5.0 or newer
  • you have Firmware at version 2.0 or newer
  • the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

 

Show Previous EntriesShow Previous Entries