Hi -

The product brief for the Luna USB G7 doesn't provide a lot of data.  The previous HSM provided level four hardware protection - e.g. a tamper perimeter and the ability to zeroize the keys if someone tried to decap the thing.  That's almost entirely dependent on having a constant power source - usually a three stage line/battery/capacitor model.

On the PCI cards, there's a Li ion battery - a rather large one - on the card just in front of the tamper covered HSM engine.  See https://thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/pci_hw_install/battery_replace.htm

The older luna USB HSM had a battery compartment - I can't see one on the images I've been able to find of the current one.  It was also a most Level 2 device with L3 security.

My questions are these: Is there an internal battery? Is it replaceable? How often does this USB HSM need to be plugged into power to maintain the internal battery?  What happens if you leave it in a safe for a year - or alternately, how long can the unit remain unplugged before it wipes its keys?  What's the lifetime of the battery before replacement?

Later, Mike




On 2/28/2024 7:20 PM, James Mitchell via ksk-rollover wrote:

ICANN has announced the schedule to generate the next KSK.

 

Generating a new KSK restarts the process announced last year, which was suspended after it was identified that a supplier of key equipment used to store the KSK (known as a Hardware Security Module, or HSM) would be exiting the business during the expected lifespan of the new KSK.

 

The next KSK will be generated on new Thales Luna USB G7 HSMs.

 

The announcement and information regarding the new HSMs is published at https://www.icann.org/en/announcements/details/icann-to-generate-new-dns-cryptographic-key-at-april-2024-ceremony-28-02-2024-en.

 

James Mitchell

IANA

 


_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.