The FIPS-certified (certificate # 2488 and 2489) Luna SA for Government Hardware Security Module (HSM) is the choice for agencies requiring strong security for digital signatures, cryptographic key storage, transactional acceleration, certificate signing, code signing, bulk key generation, data encryption, DNSSEC, and more. Derived from industry leading technology, the Luna SA for Government is manufactured, sold, and supported in the United States exclusively by Thales Trusted Cyber Technologies.
Approach to Key Security: Keys in Hardware
Luna SA for Government is the most trusted general purpose HSM for Federal Government agencies. Luna SA for Government offers a unique approach to protecting cryptographic keys in hardware. Other methods of key storage move keys outside of the HSM’s validated security boundary into a “trusted layer,” which negates several of the physical security measures provided by an HSM. Storing keys within the FIPS 140-2 validated confines of the Luna SA for Government ensures that all keys are protected throughout their lifecycle. The result is a high assurance cryptographic module that serves as a hardware cryptographic root of trust for a variety of information systems.
Luna SA for Government provides highly restricted server interfaces that allow keys to be used only within a strictly defined set of policies. This prevents unauthorized parties from using the keys and prevents even authorized users from using keys in potentially insecure ways. The HSM implements critical key management policies, such as eliminating the key export capability, directly in the hardware in a physically unchangeable manner.
Strong Role Separation
Luna SA for Government enables separation of duties. Roles can be separated between service activation, policy management activities, and HSM domain authorization. Isolating the role of domain authorization, the act of authorizing new HSM to store and use specific keys, enables tight control of key locality.
Scalable Security for Virtual and Cloud Environments
Luna SA for Government can be separated into cryptographically isolated partitions, with each partition acting as if it was an independent HSM. This provides a tremendous amount of scalability and flexibility, as a single HSM can protect the cryptographic keys of several independent applications. Luna SA for Government partitions are designed with independent access controls and key storage, allowing for use in multi-tenant environments.
Robust High Availability
Multiple HSMs can be grouped together to provide high availability (HA), load balancing and scalable performance. The HA group technology shares the transaction load, synchronizes data among members of the group, and redistributes the processing capacity in the event of failure in a member appliance to maintain uninterrupted service to up to 100 clients. The HA capability also enables easy recovery when a unit returns to service.
Flexible Backup and Disaster Recovery Options
Luna SA for Government provides secure, auditable and flexible options to simplify backup, duplication, and disaster recovery. Key backups can be performed locally or remotely to the Luna Backup HSM or other Luna HSMs.
Secure Audit Logging
Luna SA for Government can be configured to selectively log events for security auditing purposes. This allows for separation of duties between an Audit Officer/Team and the people they are auditing – preventing both the administrative and user personnel from tampering with the log files and the auditors from doing anything administrative or accessing keys.
Network Shareable for Easy Deployment
Ethernet connectivity enables flexible deployment and scalability. Built-in TCP/ IP support ensures that Luna SA for Government deploys easily into existing network infrastructures and communicates with other network devices. Multiple application servers can share cryptographic capabilities through Network Trust Links (NTLs).
Common Luna Architecture
All Luna HSMs benefit from a Common Luna Architecture where the supported client, APIs, algorithms, and authentication methods are consistent across the entire Luna HSM product line. This eliminates the need to design applications around a specific HSM, and provides the flexibility to move keys from form factor to form factor.
Available in Two Performance Models
Luna SA for Government is available in two performance models: Luna SA 7000 and Luna SA 1700. Luna SA 7000 is a high performance HSM capable of best in class performance across a breadth of algorithms including ECC, RSA, and symmetric transactions. Luna SA 7000 also features a dual, hot- swappable power supply that ensures consistent performance and no downtime. The low performance variant, Luna 1700, includes a single power supply, and is capable of 1700 RSA 1024-bit transactions per second (tps).
|Algorithm||Luna SA 1700||Luna SA 7000|
|RSA-1024||1,700 tps||7,000 tps|
|RSA-2048||350 tps||1,200 tps|
|ECC P256||570 tps||2,000 tps|
|AES-GCM||3,600 tps||3,600 tps|
|Luna SA for Government Product Brief
Product overview with technical features and specifications.
|Roots of Trust: Five Things You Must Know
The term Root of Trust (RoT) is commonly used in information security circles, but what does it mean? Why do we care? How does it apply to cryptographic controls? Modern computer systems are incredibly powerful and flexible. They can be molded to accomplish things that were unimaginable a mere decade ago. This same property makes them almost impossible to control and all too easy for malicious actors to find ways to disrupt them. To counter these threats, security experts have resorted to a wide range of cryptographic tools, and for these tools to function they need a trust worthy beginning.
|Best Practices for Cryptographic Key Management
Once data is encrypted, the only way to gain access is by decrypting or unlocking secret content using the key. Haphazardly protecting these keys negates the entire process of encryption and creates a false sense of security. This white paper outlines best practices for deploying an effective cryptographic key management strategy.
|Securing Network-Attached HSMs - Three-Layer Authentication Model
The Luna SA for Government uses a comprehensive three-layer authentication and access control model to achieve extremely strong security between the host application processes and the Luna SA for Government’s HSM partitions.This three-layer authentication and access control model was designed to allow the Luna SA for Government to offer network connectivity to clients without sacrificing the security requirements of HSM operations.
Thales TCT How-To Video Series