Back to articles
Back to Index

Posted on 11 April 2022 by in Data Protection on Demand

By Paul Hampton
Solution Owner, Thales Data Protection on Demand

Luna Cloud HSM now provides two methods to connect a single client to multiple HSM instances or tiles. This blog aims to describe the options and why you may wish to use more than one HSM instance.

The first way to use multiple cloud HSM services from a single client is to request multiple partitions bound to a single client ID. The process for setting this up is straightforward. Simply use the form here https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html to identify the client and the services that you wish to use together. This allows multiple services created under the same DPoD Tenant to be used together.

For the second method, starting with the version 10.5 Luna HSM client, it will be possible to support multiple client IDs in the configuration file.

This will allow you to provide a list of ClientIDs in the config file or as environment variables. The difference from the first approach is that these client IDs can be from different tenants. This is particularly useful for customers who have multiple different DPoD accounts, maybe for different business units or company geographic locations. In addition, a service provider could make use of this capability to run a single client instance to connect to their customers’ partitions (assuming of course that the customer has granted them the access to do so).

Regardless of the approach used, once configured, when running LunaCM with multiple services you will see something similar to the following:

lunacm (64-bit) v10.2.0-111. Copyright (c) 2020 SafeNet. All rights reserved.

This shows a client with two configured services, each identified by its own serial number and label. Each service is given a PKCS#11 slot identifier for differentiating between the services in applications using PKCS#11 or higher-level APIs such as Microsoft KSP or Java JCA/JCE.

Your applications can now choose which HSM service they wish to interact with by specifying the slot number. Alternatively, you may wish to aggregate the storage of many HSM services.  If so, you can set your application to look for keys across the multiple slots now accessible to your client. A simple approach in Java is to use the getSlotList() function of LunaTokenManager. This provides your application with details of each HSM service accessible to your client and keys can be located across all of those services. This technique is useful for applications that need access to a larger number of keys than can be supported by a single HSM service.

Another use for this capability is cloning the key material from one HSM service to another. As long as both services have the same cloning domain specified at the point of initialization it is possible to use the ‘partition clone’ command within LunaCM to duplicate key material. This allows a backup to be taken (particularly in the case of the HSM backup tile) or for keys to be shared between applications that require access to them.