This blog is part of the VTPP (VNET Threat Perception Platform) project, a three-year programme co-funded by the European Commission under the DIGITAL-ECCC-2022-CYBER-03 call. The project covers DDoS mitigation with FastNetMon, vulnerability scanning with OpenVAS, custom AI/ML detection plugins for Zeek, HSM-backed key management, RPKI validation and a Krill CA, and a full-scale deployment of Security Onion as the IDS/SIEM/NSM backbone.
LunaCM is the core client-side utility used to administer and integrate Luna HSM appliances. It is a command-line tool available for both Linux and Windows environments.
Through LunaCM, administrators perform:
- client registration
- trust relationship configuration
- partition management
- diagnostics
- monitoring
- cryptographic operations
- backup and restore processes
LunaCM is also one of the most important tools for initializing communication between a client and an HSM appliance.
The installation package is available on the thales.com portal.
sudo apt install alien
tar xf 610-000397-016_SW_Linux_Luna_Client_V10.9.1_RevA.tar
cd LunaClient_10.9.1-152_Linux
./installEstablishing Bidirectional Trust
The Luna HSM security model is built on the principle of mutual trust, that is, bidirectional trust between the client and the HSM.
The process works as follows:
- The client generates its own certificate
- The HSM generates its own certificate
- The certificates are mutually registered on the opposite device
- Both parties verify the identity of the other on every connection
This mechanism ensures that:
- the client communicates only with a trusted HSM
- the HSM accepts only authorized clients
- an attacker cannot easily spoof the cryptographic connection
The trust onboarding process is one of the most important security operations when deploying an HSM infrastructure.
The diagram below illustrates how LunaCM, as part of the Luna HSM Client, communicates with a Luna Network HSM appliance. All cryptographic traffic travels over the Network Trust Link Service (NTLS), a mutually authenticated TLS channel that listens on TCP port 1792. During the onboarding sequence, the client generates its own certificate with vtl createCert and the appliance presents its server certificate; the two certificates are exchanged and registered on the opposite end, after which vtl addServer, client register, and client assignPartition bind the client to one or more application partitions. Once the link is verified with vtl verify, each assigned partition appears to the client as a PKCS#11 slot. LunaCM then operates on those slots, authenticating through the partition role hierarchy – Partition Security Officer (PO), Crypto Officer (CO), and Crypto User (CU) – while all key material remains inside the FIPS-validated hardware boundary and never leaves the HSM in cleartext.
vtl createcert -n 192.168.1.20
scp -O /usr/safenet/lunaclient/cert/client/192.168.1.20.pem admin@192.168.0.10:
scp -O admin@192.168.0.10:/tmp/server.pem .
vtl addServer -n 192.168.1.10 -c /tmp/server.pemOn the Luna Network HSM, the client must be authorized:
client register -client CLIENT -ip 192.168.1.20
client assignPartition -client CLIENT -partition PART_INTERNALAdditional LunaCM Functionality
Once trust has been successfully established, LunaCM provides extensive options for managing the HSM environment.
Administrators can:
- create partitions
- initialize tokens
- manage certificates
- monitor appliance status
- run diagnostics
- synchronize HA groups
- back up cryptographic objects
- manage policies
LunaCM also provides detailed visibility into:
- firmware versions
- partition status
- security policies
- registered clients
- cryptographic capabilities
A major advantage is the ability to automate operations through scripting, which is extremely useful in enterprise environments with large numbers of clients and HSM appliances.
slot set -slot 0
role login -nname po -partition PSO_SECRET
role init -name co -partition CO_SECRET
role logout
role login -name po -partition CO_SECRET
role init -name co -partition CU_SECRET
role logoutSummary
LunaCM is the central client-side utility for administering and integrating Thales Luna Network HSM appliances across both Linux and Windows environments. Its role spans the full lifecycle of an HSM deployment: establishing the mutually authenticated NTLS trust link between client and appliance, registering clients and assigning partitions, and then performing day-to-day operations such as partition and token management, certificate handling, diagnostics, monitoring, HA group synchronization, and backup and restore. Because every assigned partition is exposed to the client as a PKCS#11 slot and is governed by the Partition Security Officer, Crypto Officer, and Crypto User role hierarchy, LunaCM enforces strong separation of duties while keeping all key material inside the FIPS-validated hardware boundary. Combined with its scripting and automation capabilities, this makes LunaCM an essential tool for operating secure, scalable HSM infrastructure in enterprise environments.
Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the granting authority can be held responsible for them.