Luna USB & Luna Backup HSMs
Overview
Luna USB HSMs and Luna Backup HSMs are portable, USB form factor hardware security modules designed for secure key storage, transport, and backup operations. They are used to store and transport master keys, perform secure key backup and restore, and support smaller-scale or offline key operations. These devices are typically deployed alongside Luna Network or PCIe HSMs to protect root keys, seed new HSM clusters, or provide disaster recovery key storage.
Unsung deploys Luna USB and Backup HSMs as part of PKI implementations where root CA keys require offline, portable, hardware-protected storage, and where disaster recovery procedures require secure key backup to physically separate locations.
The Challenge
High-assurance PKI environments require root CA private keys to be generated and stored in hardware that remains offline and physically secured when not in use for signing operations. Network-attached HSMs are designed for continuous online operation, making them unsuitable for offline root CA key storage where the HSM must be powered down, physically secured in a safe, and only activated during scheduled key ceremonies.
Disaster recovery for HSM-protected keys presents a similar challenge: backup copies of critical key material must be stored in hardware-protected form at a physically separate location, ready to restore HSM services if the primary HSM infrastructure is lost. Transporting key material between sites must maintain hardware protection throughout, preventing any exposure of keys in software form during transit.
What It Does
Luna USB HSMs provide portable, hardware-protected key storage in a form factor that can be physically secured in a safe or vault when not in use. For root CA operations, the USB HSM is connected to the CA server only during key ceremonies, powered on for the signing operation, and returned to secure storage afterwards. This operational model ensures that root CA keys are protected in hardware at all times, whether the HSM is active or in storage.
Luna Backup HSMs provide dedicated key backup and restore functions, enabling organisations to create hardware-protected copies of key material from their production Luna Network or PCIe HSMs. The backup HSM stores keys in its own tamper-resistant hardware, maintaining FIPS 140-2 Level 3 protection throughout the backup, transport, and restore process. Organisations typically store backup HSMs at a secondary site, providing disaster recovery capability for their cryptographic infrastructure.
How Unsung Helps
Unsung integrates Luna USB and Backup HSMs into PKI architectures as part of our PKI Design & Build service. We design offline root CA operational procedures, plan and execute key ceremonies using USB HSMs, and establish key backup and disaster recovery processes using Luna Backup HSMs. Our Hardware Security Modules service covers the full HSM estate including portable and backup devices.
Related Unsung Services
Hardware Security Modules — HSM deployment including portable and backup HSM configuration.
PKI Design & Build — PKI architecture including offline root CA and key ceremony design.
PKI Consultancy — Advisory on key ceremony planning and disaster recovery procedures.
PKI Management & Hosting — Managed PKI operations including key backup management.
