Thales PKI & Key Management Solutions (Luna HSM, CipherTrust, DPoD)

We design and deliver PKI and encryption architectures with Thales technologies to protect keys, enforce strong authentication, and secure data across on‑prem, cloud, and hybrid estates. Our deployments span Luna HSMs, Luna Cloud HSM via Data Protection on Demand (DPoD), and the CipherTrust Data Security Platform for enterprise key management and data protection.

Why SafeCipher for Thales (Outcomes)

  • Stronger key custody: HSM‑backed CA roots/issuers; BYOK and geo‑fenced residency
  • Fewer outages: automated certificate renewal pipelines, OCSP/CRL SLOs
  • Audit‑ready: ceremony packs, CP/CPS updates, logging/monitoring standards
  • Cloud‑ready: hybrid models with on‑prem roots and cloud issuing backed by Luna/DPoD

Thales Product Portfolio We Implement (PKI, HSM, Key Management)

Luna Network HSM 7 (On‑Prem Hardware Security Module)

High‑assurance, network‑attached HSM for CA keys, code signing, and high‑volume TLS. – Root/issuing CA key generation & protection – Dual control (M of N), tamper‑resistant design, FIPS 140‑3 validated variants – Integrations with AD CS, EJBCA, DigiCert/Entrust/GlobalSign/Sectigo

Luna Cloud HSM (via Data Protection on Demand – DPoD)

HSM as a Service delivering partitions for cryptographic operations and key storage. – Rapid provisioning, elastic capacity, dedicated partitions – Residency controls and API access for CI/CD and PKI workloads – Ideal for cloud issuing CAs, code signing farms, and secrets protection

CipherTrust Manager (Enterprise Key Management)

Centralised key management for apps, databases, files, clouds and HSMs. – Central key lifecycle (create, rotate, retire), policies and access control – Integrates with Luna HSM, CloudHSM, KMS, and app/database encryption – Anchor for CipherTrust Data Security Platform capabilities

CipherTrust Data Security Platform (Encryption & Tokenization)

Unifies data discovery/classification with encryption, tokenization, and access controls. – Transparent encryption for files/volumes/DBs – Tokenization/format‑preserving encryption for PII/PCI data – Data discovery for GDPR/PCI/NIS2 readiness

Architecture Patterns (How We Design It)

  • Offline root + Luna HSM for key ceremonies; issuing CAs backed by Luna or Luna Cloud HSM
  • Hybrid PKI: on‑prem roots, cloud issuing (AKS/EKS/GKE) with DPoD partitions
  • Code signing at scale: HSM‑backed signing keys, attestation, notarisation pipelines
  • Kubernetes mTLS: cert‑manager, SPIFFE/SPIRE options, short‑lived cert rotation

Integrations (Where It Connects)

  • CAs/PKI: Microsoft AD CS, EJBCA, DigiCert/Entrust/GlobalSign/Sectigo, AWS PCA, Google CAS
  • Cloud/KMS: Azure Key Vault/Managed HSM, AWS KMS/CloudHSM, GCP KMS
  • Edge/Network: F5, Nginx, HAProxy, IIS/Apache, Citrix ADC
  • DevOps/Supply Chain: GitHub/GitLab/Azure DevOps, Terraform/Ansible, HashiCorp Vault

Governance & Compliance (Making It Auditable)

  • CP/CPS authoring & maintenance, Key Management Standard (algorithms, sizes, validity)
  • Ceremonies: Root Key Generation (RKG), backup/restore SOPs, custody forms
  • Monitoring: signed audit logs, issuance SLOs, CRL/OCSP health; SIEM dashboards
  • Regulatory alignment: GDPR/UK GDPR, NIS2, PCI DSS 4.0, ISO 27001; FIPS 140‑3 where mandated

Use Cases We Deliver (End‑to‑End)

  • Enterprise PKI: roots/issuers on Luna; automated discovery/renewals; migration from legacy
  • Strong authentication: EAP‑TLS for Wi‑Fi/VPN; CBA for portals; FIDO2/WebAuthn alongside certs
  • Digital signing: code & document signing with HSM key custody and LTV/TSA design
  • Secrets & data protection: application/DB encryption with keys governed in CipherTrust Manager

Our Shortcodes (for Clear Requests)

  • TH‑LUNA → Thales Luna Network HSM 7 (on‑prem)
  • TH‑LUNA‑CLOUD → Luna Cloud HSM (DPoD)
  • TH‑CT‑MGR → CipherTrust Manager (EKM)
  • TH‑CT‑DSP → CipherTrust Data Security Platform

Example: TH‑LUNA/KF‑EJBCA/Root‑RKG/v1 or TH‑LUNA‑CLOUD/AWS‑PCA/CodeSign‑Std/PROD

Deliverables (What You Get)

  • HLD/LLD with network & zoning, policy packs, template standards
  • Build: Luna initialization/partitioning, DPoD tenancy, CipherTrust Manager deployment
  • Runbooks: issuance, renewal, revocation, code signing, DR
  • Evidence: ceremony packs, audit logs, compliance traceability matrix

FAQ: Thales PKI — Common Questions

Do we need on‑prem or cloud HSMs? Choose Luna for on‑prem assurance or DPoD for rapid scale; we often mix both in hybrid PKI.

Can CipherTrust Manager replace cloud KMS? It centralises keys and policies and integrates with KMS/HSMs; we’ll design the right boundary.

Is FIPS 140‑3 required? Only in certain sectors; we document your position and select validated models when needed.

Fastest win? Start with issuing CA keys on Luna/DPoD and automate renewals for top domains; add code signing hardening next.

Get Started (Assessment → Pilot → Scale)

  1. Inventory & gap analysis of keys, certs, apps and data stores
  2. Pilot: move one CA or signing workload onto Luna/DPoD; deploy CipherTrust Manager
  3. Scale: automate renewals, standardise policies, and roll out data‑at‑rest protection