Thales Data Protection on Demand’s Cryptovisor Achieves Updated FIPS 140-2 Recertification

Thales Cryptovisor K7, the cryptographic module embedded in Luna Cloud HSM on the DPoD platform, has just completed its latest FIPS 140-2 certificate update resulting in the new FIPS certificates 4327 and 4328.  Thales remains among an elite group of providers offering a cloud service with a FIPS-validated hardware root of trust. The FIPS recertification further strengthens Thales’ broad range of HSM offerings, and our ability to help you choose the right Luna HSM for your needs. With Luna Cloud HSM, customers can select a FIPS 140-2 Level 3 certified solution, with verified security at deployment.

In addition to the critical recertification, the firmware update included other noteworthy features:

  • Updated certificate covers Firmware version: 2.0.0 alongside all existing deployed bootloaders for Luna HSM including the new Bootloader version 1.1.5.
  • As a key feature of Firmware 2.0.0, this includes the Thales Luna HSM, Cloning Protocol Version 4 (CPV4) as the updated cloning method introduced to improve interoperability with Thales Luna HSM. Thales Luna HSM has its corresponding implementation of CPV4 in review with NIST in its submission which includes 7.8.0 and 7.8.1.
  • Our random number generator is now formally certified as compliant to SP800-90B (Recommendation for Entropy Sources Used for Random Bit Generation) and we now have a formal listing for this (signified by the ENT P) listing on the FIPS algorithms section of the page.
  • Update is one of the first (of a series in progress, G7 and K7 to come) to accurately cover supported and allowed non-NIST Elliptic Curves which are now listed in a new Table 10 on page 50 of the security policy. This now makes us the vendor with the widest formal support for ECC (as measured by supported named curves).
  • The updated certificate complies with recent NIST transitions for SP800-56Ar3 (Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography) and SP800-56Br2 (Pair-wise Key Establishment using Integer Factorization Cryptography).
  • Updated certificate is compliant with upcoming transitions on Dec 31, 2023, for 3DES and PKCS1 v1.5 encryption and is valid today through to its expiry on Sept 21, 2026, without any need to update. This is a shared expiry date for all FIPS 140-2 certificates as part of the transition to FIPS 140-3.

The Cryptovisor certificates, 4327 and 4328, are on the NIST website.