Thales DPoD Luna Cloud HSM Service
Updated Jul. 19 2021

Venafi orchestrates connections to machines needing certificates while protecting cryptographic keys with Thales Luna Cloud hardware security modules (HSMs). With the added deployment speed and efficiency of an on-demand service, Luna Cloud HSM provides a cloud-based HSM service with zero upfront capital investment.
Business Outcomes
  • Protect identities of devices and applications securing critical data

  • Enable trust in machines that are supporting critical business

  • Apply consistent security policies to put you in complete control

Integration Features
  • Automated lifecycle of keys and certificates

  • FIPS 140-2 Levl 3 and Common Criteria EAL 4+ root of trust

Solution Overview

Scaling the use of HTTPS has always required trade-offs between security and efficiency. Using machine identities to enable Encryption Everywhere strategies requires that more SSL/TLS keys and certificates be deployed in more locations. Managing this not only increases resource demands on an organization, it also exponentially increases the risk of exposing keys stored in software.

To help reduce the risk of a data breach, meet compliance requirements, and simplify machine identity management, Venafi and Thales have combined the benefits of automated key and certificate lifecycle management from the Venafi Platform with Luna HSMs' on-premises or cloud-based hardware security module (HSM) key protection. This out-of-the-box solution delivers full visibility, centralized control and full automation over HTTPS web application keys and certificates. All keys are generated, stored, and used for SSL/TLS within the safe confines of Thales Luna HSMs to reduce the risk of unauthorized data access and loss.

Thales Luna Cloud HSM Service is a cloud-based hardware security module (HSM) as a service that can be deployed within minutes and no need for specialized hardware or associated skills.

  1. Venafi Platform requests that web server keys be generated in the Luna HSM, using native commands in Microsoft, Apache, and Java that communicate with Thales libraries.
  2. Following key generation, a certificate request is initiated. All Venafi native policy, workflow and CA integrations are supported.
  3. Once the certificate is approved and received by the Venafi Platform, it is installed automatically at the application. The process is validated and logged and can be audited at any time.
  4. When a certificate is renewed, or a key rolled over, the full process is repeated and automated by the Venafi Platform according to the organization’s policy.