FIPS
From DikapediaV2
How to check if FIPS is enabled
Check that FIPS mode is enabled:
$ fips-mode-setup --check FIPS mode is enabled.
Kernel Parameter for enabling FIPS
fips=1
How to disable FIPS
$ fips-mode-setup --check # fips-mode-setup --disable
Reboot and then check again.
Changing Crypto Policies
Sometimes you may need FIPS to be enabled but it appears to be blocking or preventing you from doing something (e.g. RDP sessions using xfreerdp or something, SSH issues, etc.). In such cases it is best to change the crypto crypto polices, that way you can still FIPS enabled and have further restrictions as opposed to disabling it.
To update the crypto policies, you can run something like:
$ sudo update-crypto-policies --set FIPS:OSPP Setting system policy to FIPS:OSPP Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
or
$ sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS
Play around with different crypto policies to see what would work for you.
Check Crypto Policies
$ sudo update-crypto-policies --show FIPS:OSPP
| Crypto Policy | FIPS Compliance Level | Description |
|---|---|---|
| FIPS | FIPS-Compliant | Enforces FIPS compliance. Only FIPS-validated algorithms are allowed. |
| FIPS:NO-ENFORCE-EMS | Relaxed FIPS | Enforces FIPS compliance but allows the use of non-compliant algorithms for Emergency Management Services (EMS). |
| OSPP | Non-FIPS | Common Criteria OSPP (Orange Book) compliance. This policy is used for achieving specific security certifications beyond FIPS. |
| DEFAULT | Non-FIPS | No FIPS restrictions. All algorithms (compliant and non-compliant) are allowed. This is the default policy. |
| LEGACY | Non-FIPS | Allows the use of legacy algorithms that may not be FIPS-compliant. This policy is intended for compatibility with older systems and applications. |
Descriptions:
- FIPS: This policy enforces FIPS compliance strictly. Only FIPS-validated algorithms are allowed. This is used in environments where FIPS compliance is mandatory.
- FIPS:NO-ENFORCE-EMS: This policy enforces FIPS compliance but allows the use of non-compliant algorithms specifically for Emergency Management Services (EMS). This provides a relaxation for critical services while maintaining overall FIPS compliance.
- OSPP: This policy is used for achieving Common Criteria OSPP (Orange Book) compliance. It is not specifically focused on FIPS compliance but rather on broader security certifications.
- DEFAULT: This is the default crypto policy with no FIPS restrictions. All algorithms, both compliant and non-compliant, are allowed. It provides maximum flexibility but does not ensure FIPS compliance.
- LEGACY: This policy allows the use of legacy algorithms that may not be FIPS-compliant. It is intended for compatibility with older systems and applications that require these algorithms.