Thales Luna HSM v7.9

Hardware Security Modules represent the highest-assurance tier of cryptographic infrastructure, storing private keys in tamper-evident, tamper-resistant physical devices that resist both logical attacks and physical extraction attempts. Thales Luna HSM version 7.9, released in 2025, is the first commercially available HSM with native firmware support for ML-KEM and ML-DSA — meaning PQC key generation, key wrapping, and digital signature operations occur entirely within the secure hardware boundary, never exposing private key material to the host system. The significance for enterprise security cannot be overstated for specific use cases. Root CA private keys, long-term encryption keys for archived data, code-signing keys, and master key encryption keys (MKEKs) for key management systems represent the highest-value targets for HNDL attacks. These are exactly the keys that should be stored in HSMs — and the upgrade to Luna 7.9 firmware means organizations can migrate these critical keys to ML-KEM and ML-DSA protection without leaving the hardware security boundary. Thales Luna HSM 7.9 supports ML-KEM-768 and ML-KEM-1024 for key encapsulation, and ML-DSA-44, ML-DSA-65, and ML-DSA-87 for digital signatures, all within the hardware. The FIPS 140-3 Level 3 validation application for the PQC firmware was submitted in 2025 and was in active evaluation with NIST's CMVP program as of mid-2026. Level 3 validation requires physical tamper-evidence and identity-based authentication, making it the appropriate standard for government and financial industry applications. The Luna HSM integrates with Thales' broader CipherTrust platform for key lifecycle management, enabling enterprises to manage PQC keys alongside classical keys in a unified dashboard. This is important for the hybrid deployment period when both RSA/ECC and PQC keys coexist. Thales also provides a firmware upgrade path for existing Luna 7.x hardware in the field, allowing organizations to extend their HSM investment rather than replacing hardware.