Luna USB HSM 7 Firmware 7.7.3
Luna USB HSM 7 firmware version 7.7.3 was released in April 2025, and is the FIPS-validated firmware version recommended by Thales.
>Download Luna USB HSM 7 Firmware 7.7.3
Refer to NIST certificate #4962 for FIPS 140-3 Level 3 certification:
New Features and Enhancements
Luna USB HSM 7 firmware 7.7.3 includes the following new features and enhancements:
New HSM Policy Controls Use of User-Defined ECC Curves
A new policy, HSM policy 56: Allow User Defined ECC Curves, allows the HSM SO to control whether user-defined ECC curves are accepted. In FIPS approved configuration, this policy is automatically set to 0.
Partition Policy Controls Use of DigestKey
A newly-added policy, partition policy 9: Allow DigestKey, allows the Partition SO to control whether the C_DigestKey function can be used to derive a key outside of the HSM. In the previous version, this was always allowed. In this version, it is set to 0 by default. If you require this functionality, refer to Partition Policy 9: Allow DigestKey is Destructive When Turned On in the Advisory Notes before updating to Luna USB HSM 7 Firmware 7.7.3.
Advisory Notes
This section highlights important issues you should be aware of before installing Luna USB HSM 7 firmware version 7.7.3.
Migrate Keys From FIPS-Configured Luna USB HSM G5 Before Updating to This Version
Using Luna USB HSM 7 Firmware 7.7.3 or newer in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), cloning from Luna USB HSM G5 with firmware 6.24.7 is disallowed. Therefore, you must migrate your keys to Luna USB HSM 7 with Luna USB HSM 7 Firmware 7.7.2 installed, before you update the firmware.
Requires Luna HSM Client 10.8.0 or Newer
This version of the Luna USB HSM 7 firmware requires Luna HSM Client 10.8.0 or newer.
Partition Policy 9: Allow DigestKey is Destructive When Turned On
Partition policy 9: Allow DigestKey is set to 0 by default when you update to Luna USB HSM 7 Firmware 7.7.3 or newer, and it is destructive when changed from 0 to 1. If you were using C_DigestKey with Luna USB HSM 7 Firmware 7.7.2, and you need to continue using it, you must back up the contents of your application partition and restore them after changing the policy. Refer to Partition Backup and Restore.
FIPS Changes in Luna USB HSM 7 Firmware 7.7.3 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), to comply with NIST SP800-131a Rev2 and SP800-56B Rev2, published in March 2019.
Migrate Keys From FIPS-Configured Luna USB HSM G5 Before Updating to This Version
Using Luna USB HSM 7 Firmware 7.7.3 or newer in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), cloning from Luna USB HSM G5 with firmware 6.24.7 is disallowed. Therefore, you must migrate your keys to Luna USB HSM 7 with Luna USB HSM 7 Firmware 7.7.2 installed, before you update the firmware.
Mechanisms no longer available in FIPS approved configuration
The following mechanisms are no longer available in FIPS approved configuration:
>CKM_EC_MONTGOMERY_KEY_PAIR_GEN
NOTE If you need to generate FIPS-compliant domain parameters for this mechanism, use CKM_DSA_PARAMETER_GEN with modulus length 2048 or 3072.
DES/DES3 encryption not permitted using ECIES mechanisms
The following mechanisms are not permitted to encrypt in FIPS approved configuration (decrypt operations are permitted):
HMAC mechanisms not permitted to sign using DES3 keys
The following mechanisms are not permitted to sign objects with a DES3 key in FIPS approved configuration (verify operations are permitted):
Mechanisms now check for approved EC curves in FIPS mode
The following mechanisms now verify that the specified EC curve is FIPS-approved, and reject operations that specify non-approved curves:
>CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS
CKM_RSA_PKCS not permitted to decrypt/unwrap objects
To comply with FIPS 140-3 requirements, RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed. Therefore, CKM_RSA_PKCS is now restricted from performing decrypt/unwrap operations.
NOTE When the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), CKM_RSA_PKCS is disabled even if partition policy 33: Allow RSA PKCS mechanism is set to 1.
3DES usage counter has been removed
The 3DES usage counter attribute (CKA_BYTES_REMAINING) has been removed in Luna USB HSM 7 Firmware 7.7.3 and newer, to comply with FIPS 140-3 requirements. This attribute is now ignored on any keys where it is already set.
FIPS Changes in Luna USB HSM 7 Firmware 7.7.2 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), to comply with FIPS SP800-131a Rev2, published in March 2019. Consider these functional changes when migrating from Luna USB HSM G5.
Mechanisms not permitted to wrap objects in FIPS mode
The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):
Mechanisms not permitted to sign data in FIPS mode
The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):
Mechanisms approved for use in FIPS mode
The following mechanisms are now approved for use in FIPS mode: