Breadcrumbs

Luna S790

The following covers how to configure a Luna S790 HSM for the Next Generation Hardware Appliance.

Security Transport Mode (STM)

The HSM is secured during transportation. When initializing the HSM for the first time, the STM must have been removed. To do so, a Random User String and a Verification String were sent by Keyfactor via email upon delivery. These strings must be used in Webconf to remove the appliance from STM.
For more information refer to Secure Transport Mode (STM).

Preparations

The PIN Entry Device (PED) was delivered with the appliance, including 10 PED keys and a sheet with labeled peel-off stickers for the PED keys. It is recommended that the PED keys to be used are provided with the corresponding stickers in advance.

Before starting, the PED must have been configured via Webconf.

For more information, refer to PIN Entry Device.

Linux Kernel Version

To run the included Luna client (v10.9.1) for Remote Backup HSM and Remote PED,
the Linux kernel version must be lower than 6.16.

HSM Information

The appliance is still in Secure Transport Mode and no HSM has yet been initialized.
The last three lines adapt to the respective status.

Name

Value

Serial Number

xxxxxx

Firmware

e.g. 7.8.4

Post Quantum Cryptography

Available
(This line is only displayed for the corresponding firmware.)

Fan 1

Active

Fan 2

Active

Battery

e.g. 3.098 V

Temperature

in [C] or in [F] e.g. 31° [C]
Move the cursor in the field to switch between [C] and [F].

warning Alarm
Alarm

ON
OFF

Status

  • transport_mode (while in Secure Transport Mode (STM))

  • zeroized (when exited STM and not initialized)

  • RUNNING (when initialized)

warning Secure Transport Mode
Secure Transport Mode

ON
OFF

If an warning Alarm has been triggered, a message with further explanations is displayed in a banner at the top of the Security page.

For more information, refer to the Thales documentation Luna S790 HSM Documentation.

The Luna USB HSM is not supported!


Considerations for a later HSM Firmware Update

Since Next Generation Hardware Appliance firmware Version 5.2.1, it is explicitly allowed to select the HSM firmware track during initial HSM Configuration.
By default, the HSM is delivered with the FIPS-validated firmware version 7.8.4.
However, the 5.2.1 appliance firmware includes the newer, post-quantum–enabled version 7.9.1 as an available update path during setup.

This design is intentional and ensures flexibility to meet differing regulatory, certification, and future-readiness requirements.

If an HSM firmware update is released in the future, the update can only be performed within the selected path.

  • If the HSM was initialized with version 7.8.4 (FIPS), updates are only possible to subsequent FIPS-certified firmware versions.

  • If the HSM was initialized with the post-quantum version 7.9.1, switching to a FIPS-certified HSM firmware version during the update process is not possible.

If it is necessary to switch between these two tracks, a Factory Reset of the appliance is required, followed by reinitialization of the HSM with the desired firmware type.