FIPS: Difference between revisions
From DikapediaV2
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 14: | Line 14: | ||
====How to disable FIPS==== | ====How to disable FIPS==== | ||
---- | ---- | ||
fips-mode-setup --check | $ fips-mode-setup --check | ||
fips-mode-setup --disable | # fips-mode-setup --disable | ||
Reboot and then check again. | Reboot and then check again. | ||
====Changing Crypto Policies==== | |||
---- | |||
Sometimes you may need FIPS to be enabled but it appears to be blocking or preventing you from doing something (e.g. RDP sessions using xfreerdp or something, SSH issues, etc.). In such cases it is best to change the crypto crypto polices, that way you can still FIPS enabled and have further restrictions as opposed to disabling it. | |||
To update the crypto policies, you can run something like: | |||
$ sudo update-crypto-policies --set FIPS:OSPP | |||
Setting system policy to FIPS:OSPP | |||
Note: System-wide crypto policies are applied on application start-up. | |||
It is recommended to restart the system for the change of policies | |||
to fully take place. | |||
or | |||
$ sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS | |||
Play around with different crypto policies to see what would work for you. | |||
Helpful links: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#system-wide-crypto-policies_using-the-system-wide-cryptographic-policies | |||
====Check Crypto Policies==== | |||
---- | |||
$ sudo update-crypto-policies --show | |||
FIPS:OSPP | |||
Latest revision as of 19:51, 10 April 2025
How to check if FIPS is enabled
Check that FIPS mode is enabled:
$ fips-mode-setup --check FIPS mode is enabled.
Kernel Parameter for enabling FIPS
fips=1
How to disable FIPS
$ fips-mode-setup --check # fips-mode-setup --disable
Reboot and then check again.
Changing Crypto Policies
Sometimes you may need FIPS to be enabled but it appears to be blocking or preventing you from doing something (e.g. RDP sessions using xfreerdp or something, SSH issues, etc.). In such cases it is best to change the crypto crypto polices, that way you can still FIPS enabled and have further restrictions as opposed to disabling it.
To update the crypto policies, you can run something like:
$ sudo update-crypto-policies --set FIPS:OSPP Setting system policy to FIPS:OSPP Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
or
$ sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS
Play around with different crypto policies to see what would work for you.
Check Crypto Policies
$ sudo update-crypto-policies --show FIPS:OSPP