[ksk-rollover] ICANN to generate new KSK

Michael StJohns msj at nthpermutation.com
Thu Feb 29 18:21:24 UTC 2024

Hi -

The product brief for the Luna USB G7 doesn't provide a lot of data.  
The previous HSM provided level four hardware protection - e.g. a tamper 
perimeter and the ability to zeroize the keys if someone tried to decap 
the thing.  That's almost entirely dependent on having a constant power 
source - usually a three stage line/battery/capacitor model.

On the PCI cards, there's a Li ion battery - a rather large one - on the 
card just in front of the tamper covered HSM engine.  See 

The older luna USB HSM had a battery compartment - I can't see one on 
the images I've been able to find of the current one.  It was also a 
most Level 2 device with L3 security.

My questions are these: Is there an internal battery? Is it replaceable? 
How often does this USB HSM need to be plugged into power to maintain 
the internal battery? What happens if you leave it in a safe for a year 
- or alternately, how long can the unit remain unplugged before it wipes 
its keys?  What's the lifetime of the battery before replacement?

Later, Mike

On 2/28/2024 7:20 PM, James Mitchell via ksk-rollover wrote:
> ICANN has announced the schedule to generate the next KSK.
> Generating a new KSK restarts the process announced last year, which 
> was suspended after it was identified that a supplier of key equipment 
> used to store the KSK (known as a Hardware Security Module, or HSM) 
> would be exiting the business during the expected lifespan of the new KSK.
> The next KSK will be generated on new Thales Luna USB G7 HSMs.
> The announcement and information regarding the new HSMs is published 
> at 
> https://www.icann.org/en/announcements/details/icann-to-generate-new-dns-cryptographic-key-at-april-2024-ceremony-28-02-2024-en.
> James Mitchell
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20240229/2934b7d9/attachment.html>

More information about the ksk-rollover mailing list