Expand description
Thales Luna Tactical (TCT) HSM provider.
The Luna TCT (Tactical) is a ruggedized, battery-backed HSM designed for mobile, field, and disconnected environments with tamper-responsive security.
§Platform-specific Library Paths
Luna TCT uses the same PKCS#11 library as Luna CSP:
- Linux:
/usr/safenet/lunaclient/lib/libCryptoki2_64.so - Windows:
C:\Program Files\SafeNet\LunaClient\cryptoki.dll
§Tactical/Ruggedized Features
- Battery-backed RAM: Keys persist through power loss
- Tamper detection: Physical intrusion triggers key zeroization
- Environmental hardening: Extended temperature, shock, vibration tolerance
- Portable form factor: Designed for field deployment
§Disconnected/Air-Gapped Environments
Luna TCT is specifically designed for disconnected EST use cases per RHELBU-3536 R7-Disconnected:
- No network dependency: All cryptographic operations local to HSM
- Offline key generation: CA and EST server keys generated on-device
- Manual key transport: Physical custody for key backup/recovery
- Audit trail: Local logging of all key operations
For disconnected deployments:
- Generate CA and EST server keys on TCT in secure facility
- Configure EST server with PKCS#11 URI pointing to TCT keys
- Deploy TCT with EST server to disconnected environment
- All certificate issuance happens locally without network connectivity
§Storage Constraints
Luna TCT has more conservative limits than cloud HSMs:
- Limited slot count (typically 1-4 partitions)
- Smaller key storage capacity (hundreds vs thousands of keys)
- Battery lifetime considerations for long-term deployments
§Mechanism Support
Luna TCT provides the same cryptographic mechanisms as Luna CSP:
- Full RSA and ECDSA support
- AES Key Wrap (CKM_AES_KEY_WRAP, CKM_AES_KEY_WRAP_PAD)
- RSAES-OAEP for key wrapping
Functions§
- default_
library_ path - Default PKCS#11 library path for Luna TCT.
- provider_
config - Get the default provider configuration for Thales Luna TCT.
- supported_
mechanisms - Mechanisms supported by Luna TCT.