Operating System#
Enabling FIPS Mode#
To enable FIPS mode:
$ fips-mode-setup --enable
$ reboot
To enable FIPS mode manually:
dnf install dracut-fips
reboot
press ‘e’ on the grub config menu to ‘edit’ the selected kernel
add “fips=1” to the end of the boot line, or when multiple disks/partitions are involved (e. g. - “fips=1 boot=/dev/sda1”)
Ctrl-x to boot with FIPS mode enabled
Alternatively, see the following pages:
Verifying FIPS Mode#
To verify FIPS mode:
$ fips-mode-setup --check
FIPS mode is enabled.
or:
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1
or:
$ cat /proc/sys/crypto/fips_enabled
1
OpenSSL#
NSS#
Enabling FIPS Mode in NSS Database#
To enable FIPS mode:
$ modutil -dbdir nssdb -fips true
To check FIPS status:
$ modutil -dbdir nssdb -chkfips trueFIPS mode enabled.To list NSS modules in FIPS mode:
$ modutil -dbdir nssdb -listListing of PKCS #11 Modules-----------------------------------------------------------`` 1. NSS Internal PKCS #11 Module``
`` uri:
\ ```pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 <pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34>`__`` slots: 1 slot attached``
`` status: loaded``
`` slot: NSS FIPS 140-2 User Private Key Services``
`` token: NSS FIPS 140-2 Certificate DB``
`` uri:
\ ```pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 <pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203>`__-----------------------------------------------------------Note: The internal token name in FIPS mode is “NSS FIPS 140-2 Certificate DB”.
Password Requirements#
In FIPS mode the NSS database password must be a strong password, e.g. Secret.123.