Thales SafeNet Luna Network HSM

Thales SafeNet — Luna Network HSM

Common Models

• Luna Network HSM 7 (current family; multiple performance tiers) and PCIe/USB/Backup form factors in the same generation. thalesdocs.com

FIPS Status

• Luna 7 family (Network, PCIe, USB, Backup): FIPS 140-3 Level 3 validated. (Earlier Luna K7 firmware held FIPS 140-2 Level 3.) We deploy in FIPS-approved configuration and manage firmware life-cycle controls to keep you in validated mode. NIST Computer Security Resource Center+3Thales Cyber Security Solutions+3data-protection-updates.gemalto.com+3

PQC (Post-Quantum) Support

• Mechanism: Optional Luna PQC Feature Module (FM) adds quantum-safe algorithms and integrations (OpenSSL 3.2+). thalesdocs.com
• Algorithms: Support for NIST-standard ML-KEM (Kyber, FIPS 203) and ML-DSA (Dilithium, FIPS 204) on current Luna 7 firmware streams; Thales collateral also references additional schemes (e.g., SPHINCS+, Falcon) for crypto-agility where appropriate. We design dual-stack rollouts so classical (RSA/ECDSA) and PQC live side-by-side during migration. Thales Cyber Security Solutions+1

Dual Private-Key Format Support (Seed vs Expanded)

• Context: PQC introduces two private-key representations—compact seeds (~tens of bytes) and expanded keys (≈1.6–4 KB). Industry work (IETF) is moving toward PKCS#12 seed-only profiles for portability and safe backup.
• What we implement on Luna 7:
  • Seed custody inside the HSM: Store seeds as high-assurance key objects; control export with dual control/split knowledge and partition policies.
  • Deterministic re-derivation in hardware: Materialize expanded keys from seeds inside the Luna partition for signing/KEM, avoiding persistent storage of large keys when not required.
  • Expanded-key import & lifecycle: When apps need expanded keys, we import/wrap them into the FIPS-approved configuration and apply labeling, rotation, and archival policies. thalesdocs.com
  • Backup & portability: HSM-wrapped seed objects (and, if necessary, expanded keys) with tamper-evident ceremonies; runbooks to move from traditional PFX to seed-centric custody as PKCS#12 seed-only profiles finalize.

How SafeCipher Helps (Procure • Deploy • Support)

• Procurement & contracts: Sizing, quotes, spares/RMA, co-termed renewals; roadmap planning for 140-3 and PQC enablement (PQC FM licensing).
• Deployment & integration: STC/NTLS, partitioning and RBAC, client stacks (PKCS#11/CNG/JCE), HA groups, FIPS-approved configuration, and performance tuning. thalesdocs.com
• Operations: 24×7/BH support options, monitoring/telemetry, firmware governance, seed/expanded-key ceremonies, backup/escrow, and auditor-ready evidence.
• Migrations: Classical→PQC dual-stack pilots, provenance-preserving re-wraps, on-prem↔cloud transitions (including Azure Dedicated HSM on Luna 7 A790) with validated cutovers and rollbacks.

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.