Skip to main content

FIPS (Federal Information Processing Standards)

What’s FIPS?

Federal Information Processing Standards (FIPS) are federal standards for computer systems used by contractors of government agencies and non-military government agencies.

FIPS 140-2 is a specific federal government security standard used to approve cryptographic modules. Chef Automate uses the OpenSSL FIPS Object Module, which satisfies the requirements of software cryptographic modules under the FIPS 140-2 standard. The OpenSSL Object Module provides an API for invoking FIPS approved cryptographic functions from calling applications.

Who should enable FIPS?

You may be legally required to enable FIPS if you are a United States non-military government agency, or are contracting with one. If you are not sure if you need to enable FIPS, please check with your compliance department.

Who shouldn’t enable FIPS?

You will only need to enable FIPS if you are a US non-military government agency, or contracting with one, and you are contractually obligated to meet federal government security standards. If you aren’t a US non-military governmental agency, or you aren’t contracting with one, and you aren’t contractually obligated to meet federal government security standards, then don’t enable FIPS. Chef products have robust security standards even without FIPS, and FIPS prevents the use of certain hashing algorithms you might want to use, so we only recommend enabling FIPS if it’s contractually necessary.

Supported products

Supported:

Unsupported:

FIPS mode isn’t supported for Chef Infra Server add-ons. This includes Chef Manage.

How to enable FIPS mode in the operating system

FIPS kernel settings

Windows and Red Hat Enterprise Linux can both be configured for FIPS mode using a kernel-level setting. After FIPS mode is enabled at the kernel level, the operating system will only use FIPS approved algorithms and keys during operation.

All of the tools Chef produces that have FIPS support read this kernel setting and default their mode of operation to match it with the exception of the workstation, which requires designating a port in the fips_git_port setting of the cli.toml. For the other Chef Infra tools, Chef Infra Client, for example, if chef-client is run on an operating system configured into FIPS mode and you run, that Chef Infra run will automatically be in FIPS mode unless the user disables it.

To enable FIPS on your platform follow these instructions:

How to enable FIPS mode for Chef Infra Server

Prerequisites

  • Supported Systems - CentOS or Red Hat Enterprise Linux 6 or greater
  • Chef Infra Server version 12.13 or greater

Configuration

If you have FIPS compliance enabled at the kernel level and install or reconfigure Chef Infra Server then it will default to running in FIPS mode.

To enable FIPS manually for Chef Infra Server, can add fips true to the /etc/opscode/chef-server.rb and reconfigure. For more configuration information see chef-server.rb Optional Settings.

How to enable FIPS mode for Chef Infra Client

Prerequisites

  • Supported Systems - CentOS, Oracle Linux, Red Hat Enterprise Linux 6 or later, and Ubuntu
  • Chef Infra Client 16.13 or later for Ubuntu systems

Configuration

If you have FIPS compliance enabled at the kernel level, Chef Infra Client will default to running in FIPS mode. Otherwise, add fips true to the /etc/chef/client.rb or C:\\chef\\client.rb.

Bootstrap a node using FIPS

knife bootstrap 192.0.2.0 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips

which shows something similar to:

OpenSSL FIPS 140 mode enabled
...
192.0.2.0 Chef Infra Client finished, 12/12 resources updated in 78.942455583 seconds
Edit this page on GitHub

Thank you for your feedback!

×