Luna Network HSM 7
Overview
Luna Network HSM 7 is a high-assurance, network-attached hardware security module for general-purpose cryptography. Validated to FIPS 140-2 and FIPS 140-3 Level 3, it provides a hardware root of trust for cryptographic keys and operations across PKI, TLS/SSL offload, code signing, database encryption, and key management use cases. The platform supports up to approximately 100 isolated partitions with strong multi-tenant separation, and MFA/PED authentication on S-series models for enhanced key management security.
Unsung is a Thales Silver Partner with over five years of experience deploying Luna HSMs. Luna Network HSMs are fundamental to our PKI implementations, routinely protecting Root CA and Issuing CA private keys for UK government, defence, and enterprise customers.
The Challenge
Organisations operating PKI, encryption, and signing services need to protect the cryptographic keys that underpin these operations. Storing keys in software — on server file systems or in databases — exposes them to extraction by malware, insider threats, or compromised operating systems. Regulatory frameworks and assurance standards across government, financial services, and healthcare increasingly mandate hardware-based key protection at FIPS 140-2 Level 3 or equivalent.
Beyond basic key protection, organisations need HSMs that support the range of cryptographic algorithms and protocols required by their applications, provide sufficient performance for their transaction volumes, and offer the multi-tenancy needed to serve multiple applications or organisational units from shared HSM infrastructure. With the approaching post-quantum cryptography transition, organisations also need assurance that their HSM investment will support quantum-resistant algorithms.
What It Does
Luna Network HSM 7 provides FIPS 140-2/3 Level 3 validated key protection in a network-attached appliance that serves cryptographic operations to applications across the network. The HSM generates and stores keys within its tamper-resistant hardware boundary, ensuring that private keys never exist in software. It supports RSA, ECC, and symmetric algorithms, with recent firmware adding support for post-quantum mechanisms including LMS/HSS and ML-DSA/ML-KEM via functionality modules.
The platform’s partition architecture enables up to approximately 100 isolated cryptographic domains within a single appliance, each with independent key storage and access controls. This multi-tenancy supports organisations that need to share HSM infrastructure across multiple applications, environments, or business units whilst maintaining strict separation. S-series models provide multi-factor PED authentication for key management operations, adding a physical authentication factor to critical key ceremonies. High availability configurations ensure continuous availability of cryptographic services.
How Unsung Helps
Unsung’s five-year partnership with Thales has given us extensive hands-on experience with Luna Network HSM deployment, configuration, and integration. We routinely implement Luna HSMs as part of PKI build projects, configuring partitions, integrating with CA platforms including EJBCA and Microsoft ADCS, and conducting key ceremonies for root and issuing CAs. Our Hardware Security Modules service covers the full lifecycle from requirements assessment and platform sizing through deployment, key ceremony, and operational handover.
Related Unsung Services
Hardware Security Modules — Luna HSM deployment, configuration, key ceremony, and operational support.
PKI Design & Build — End-to-end PKI implementation with integrated HSM key protection.
PKI Consultancy — Advisory on HSM strategy, platform selection, and cryptographic architecture.
PKI Management & Hosting — Managed PKI services including ongoing HSM operations and key management.
