UC 10.5.0 will be available in production by 09/09/2022.

Universal Cloning (CPv4) will be a supported feature in UC 10.5.0 but only when used with Firmware 2.0. Universal Cloning can be used for key migration to any trusted Thales HSMs that also support the Universal Cloning protocol.

In order to use the Universal Cloning feature, the following must be true:

• you have a Luna Client at version UC 10.5.0 or newer
• you have Firmware at version 2.0 or newer
• the source partition's security policy allows cloning of private and secret keys

NOTE: You can only clone between initialized partitions, and they must have the same cloning domain (secret), which is provided at the time of initialization.

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients as of August 16th.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80.

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

Additional Fields are now Mandatory for Tenant Registration

The following fields are now mandatory for tenant registration:

• Address
• City
• ZIP Code
• State/Province/Region*

* Mandatory if Country is set to United States, Canada, or Australia

Version 10.4.1 of the Luna HSM client is now available for download from the Thales Customer Support Portal.  This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide.

• Download Luna HSM Client 10.4.1 for Windows
• Download Luna HSM Client 10.4.1 for Linux

Added

• Luna HSM Client 10.4.1 allows you to initialize a Luna Cloud HSM service using a domain secret imported from a red PED key. This allows you to clone objects between PED-authenticated Luna HSM partitions and Luna Cloud HSM enabling cloud backups and improving availability by adding Luna Cloud HSM to your HA groups. See Initializing a Luna Cloud HSM Service for more information.

Added

The Thales Luna Cloud HSM service is now available through Google Cloud Marketplace. Provisioning a Luna Cloud HSM service through Google Cloud Marketplace automatically generates a Thales Data Protection on Demand (DPoD) tenant and registers the user as the primary tenant administrator. The DPoD tenant provides access to features such as reporting and user and account management.

See the Thales Luna Cloud HSM service and Thales Data Protection on Demand documentation for more information.

The authentication method used by the 10.0 and 10.1 version of the Luna Cloud HSM client is being deprecated. Clients using this authentication will no longer be supported by the Luna Cloud HSM service after December 31, 2021. 

We recommend you upgrade your client to the latest version at your earliest convenience. See Upgrading your client for more information.

Added:

Thales Data Protection on Demand can support requests to restore a Luna Cloud HSM Service partition to a previous state. 

Partition snapshots are taken daily and stored for 7 days. A tenant administrator can submit a partition snapshot restore request to have a partition restored to a previous state. Users can request restoration of a partition to recover from catastrophic events such as accidental zeroization of the service partition. Partition rollbacks can take up to 48 hours to complete.

Restoring a partition will undo any changes made to the service partition since the backup date, this includes removing new objects from the service partition and resetting password changes. 

Please download and complete the Partition Snapshot Restoration Request Form and include it in your support request to Thales Customer Support Portal. 

See the Partition Snapshot Restoration Guide for more information.

CipherTrust Key Broker for Google Cloud EKM service users can now access their DPoD platform tenant. Users can log in to their tenant hostname URL to access DPoD platform features such as User Management, Tenant Management, and Reporting.

CipherTrust Key Broker for Google Cloud EKM service tenants do not have access to tenant features such as Subscriber Groups or Adding Services.

Added

Data Protection on Demand sends an email alert on service creation. Tenant Administrators and Application Owners in the subscriber group where the service is created receive an email alert on service creation.