The Luna Cloud HSM client bundle is updated to include the 10.8.0 Universal Client. Users are encouraged to upgrade to this latest client version and ensure it is supported in accordance with the Universal Client Supported Versions with Luna Cloud HSM table.

See Upgrade Client for more information about upgrading your client.

Changed 

The `AuthTokenConfigURI` parameter in the Chrystoki.conf and crystoki.ini configuration file is updated to directly reference the updated endpoint that comes as the result of the migration to the One Welcome Identity Platform.

Client version 10.8.0 will be required for hybrid HA group operations between Luna Network HSM and Luna Cloud HSM when the Luna Cloud HSM service is upgraded to FW 3.0.

Bugs fixed 

Resolved an issue in the 10.7.2 client where the command cmu verifyhsm fails. 

Resolved an issue with previous versions of the support tool "lch-support-linux-64bit" and "lch-support-win-64bit" that generated false failures as a result of differences with the One Welcome Identity Platform. 

Firmware 3.0 will be released from Thales Data Protection on Demand for Luna Cloud HSM services in two stages.

The first release of Firmware 3.0 will be available by the end of the second half of 2025 and will be a non-FIPS release.

The second release of Firmware 3.0 will be available by the end of the second half of 2026 and will be a FIPS certified release.

See Firmware 3.0 CRN for more information about the new features and enhancements for firmware 3.0. Due to new requirements in the FIPS 140-3 certification there are numerous changes incorporated with this release. 

Added 

Hybrid with Luna On-Prem

-> After upgrading to FW 3.0, Hybrid HA operations with a Luna Network HSM will require Luna Client UC10.8.0 or higher. Using a client version prior to 10.8.0 will result in CKR_FUNCTION_NOT_SUPPORTED returned when attempting to login to a Hybrid HA group.   

Deprecation of CPv1 Cloning

-> CPv1 has been removed from FIPS firmware support as it is no longer compliant with 140-3. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode.

ECC Curves

-> The user can now update the ECC curves without disabling the policy on FW upgrade if the module is configured in ‘FIPS mode’.

Changes due to FIPS 140-3 Certification

-> All pre-hashed verify operations will be blocked.

-> RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed, notably the mechanism CKM_RSA_PKCS for encrypt/decrypt/wrap/unwrap. Other mechanisms might now prohibit forward operations (new encryption or signing or wrapping,) while continuing to permit others (decrypt/unwrap) to support legacy situations. 

-> Signature creation for Curve448 and Curve25519 (ECDH) are blocked.

-> Cloning encryption is now ECC-based (formerly RSA).

-> EFP/EFT is now mandated at Level 3 for FIPS 140-3. 

-> New restrictions have been added to some mechanisms when the HSM is in FIPS mode. (See Firmware 3.0 CRN  for complete list.)

Error Messages

The following error messages are appearing when "partition showinfo" is run in lunacm:
0x82 (CKR_OBJECT_HANDLE_INVALID)
SMK OUIDs are not available
These errors are appearing in FW 3.0 however it does not affect the performance of the release. This has not appeared in previous FW releases.

Plugin version 2.5.0 with the HSM client 10.7.2 is now available for download from Thales Data Protection on Demand for Luna Cloud HSM services.

See Upgrade Client for more information about upgrading your client.

Users are encouraged to upgrade to this latest client version and ensure it is supported in accordance with the Universal Client Supported Versions with Luna Cloud HSM table.

Added 

Luna client uses the existing config file

Customers can use the client without having to configure the "ChrystokiConfigurationPath" environment variable first.

Grouping startup for P11 commands in the plugin

The client startup time was very slow. To address this issue we now group the P11 commands together and send them as one to reduce the turnaround time.

Changed

- Using 10.7.2 or higher, users are no longer required to run setenv to configure the client to connect to the Luna Cloud HSM Service. However, setenv may still be used to configure the client for hybrid use cases or integrations where setting the ChrystokiConfigurationPath is required.
Please see Unpack the client for more information.

- Users can connect to a Luna Cloud HSM service by running the Luna Client in a docker container.
Please see Create a Docker Container to Access a Luna Cloud HSM Service for more information.

- A number of enhancements has been added to the LCH support tool. 
The support tool now creates an output file containing additional logging generated by running lunacm. It will also tell you the file was created, its name and the amount of time taken to run each test.
Please see Client connectivity support tool for more information.

Thales Data Protection on Demand (DPoD) audit logs for Luna Cloud HSM and CipherTrust Data Security Platform as a Service (CDSPaaS) service instances are now available through the tenant user interface. You can generate, review, and download audit logs for services in your tenant using your tenants Logs page. For more information about viewing and downloading audit logs through the tenant user interface see Audit Logging.

In advance of upcoming enhancements to Luna Cloud HSM we wish to remind our customer base that client versions 10.2, 10.3 and 10.4 are no longer supported by the service and must be upgraded.

Although these client versions will continue to function today, future upgrades to the Cloud HSM Service will render them inoperable.

Users must upgrade to a supported client version before August 27, 2024.

Full instructions for upgrading the client can be found in the thalesdocs.com documentation; https://thalesdocs.com/dpod/services/luna_cloud_hsm/client/upgrade/index.html

For more details please visit our Customer Support Portal.

Version 10.7.1 of the HSM client is now available for download from Thales Data Protection on Demand for Luna Cloud HSM services. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the Luna Cloud HSM Client User Guide. See Upgrade Client for more information about upgrading your client.

Users are encouraged to upgrade to this latest client version and ensure it is supported in accordance with the Universal Client Supported Versions with Luna Cloud HSM table.

Added 

Update of Client Private Key Encryption Algorithm

The private key encryption algorithm used in NTLS connections, is upgraded from TDES/DES3 to AES-256-CBC.

FW 2.0.5 has been released to all production environments. This release resolves the issue with restoring Luna Cloud HSM backups from a Luna USB Backup HSM.

The new firmware versions based on region and FIPS mode are as follows: 

• NA FIPS - 2.0.5
• NA non-FIPS - 2.0.5
• EU FIPS - 2.0.5
• EU non-FIPS - 2.0.5

Added 

Luna Cloud HSM Backup

The issue with restoring Luna Cloud HSM backups from a Luna USB Backup HSM has been rectified with FW 2.0.5.

The Luna Cloud HSM for DKE service is now available for trial and subscription. 

Provision the service through your Thales DPoD Tenant to access a Luna Cloud HSM partition and the Luna Key Broker for Microsoft DKE service software. Use the service software to create a Microsoft DKE endpoint by running the included container and connecting the Luna Cloud HSM service for secure storage of DKE cryptographic keys. 

See the Luna Cloud HSM for DKE documentation for more information about provisioning and configuring the service.

Thales Data Protection on Demand launched the DPoD Public Marketplace. The public marketplace is available at https://market.dpondemand.io.

The following public marketplace endpoints are now available:

• GET /service_types
• GET /service_types/ {id}
• GET /service_categories
• GET /service_categories/{id}

For more information about the DPoD API see Using the API and the DPoD Platform API.

The CipherTrust Data Security Platform as a Service (CDSPaaS) is now available for provisioning through Thales Data Protection on Demand.

For more information about CDSPaaS see CipherTrust Data Security Platform Services (CDSPaaS).

For more information about provisioning the service and getting started with CDSPaaS see Get Started with CipherTrust Data Security Platform Services.