Federal Information Processing Standards (FIPS)

An administrator can check and enable the system for adherence to Federal Information Processing Standards (FIPS).

To check the system FIPS status, use system fips.

If FIPS is not enabled, the command output look as follows:

platform@nicnode1:~$ system fips
FIPS mode is disabled

To enable FIPS on the system, use system fips enable.

Important

The use of FIPS on the system requires a subscription to the Ubuntu Advantage service package from Canonical in order to obtain the necessary cryptographic modules.

Internet access will be required from your system to the necessary Ubuntu Advantage service package URLs.

You will prompted to:

  • input the base and update system URLs as given for the program
  • indicate if you wish to use a proxy and to provide its URL

Contact your VOSS account manager or VOSS support for detailed information on using the Ubuntu Advantage service package in the system.

Console output will be similar to the example below:

platform@nic-fips-un1:~$ system fips enable
Please enter the URL as given by Canonical for the base Ubuntu Advantage program
eg. deb 'https://<user>:<password>@private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu <ubuntu version> main'

URL: <URL>

Please enter the URL as given by Canonical for the Ubuntu Advantage update program
eg. deb 'https://<user>:<password>@private-ppa.launchpad.net/ubuntu-advantage/fips-updates/ubuntu <ubuntu version> main'

URL: <URL>

Do you want to use an apt proxy? y

What is the proxy URL?
<URL>

Installing required packages

If FIPS is enabled, the system fips command output is:

platform@nic-fips-un1:~$ system fips
FIPS mode is enabled

It is important to note:

  • After running system fips enable, run system reboot to apply the FIPS enable changes.
  • If fips mode is to be enabled on a cluster, it should be enabled on all nodes.
  • If FIPS is enabled on a system, it cannot be disabled.
  • All system passwords are stored using FIPS 140-2 complaint encryption algorithms, when FIPS mode is enabled or not.
  • If FIPS is enabled on a system, all install scripts and templates are encrypted and decrypted using FIPS 140-2 complaint encryption algorithms.