FIPS (Federal Information Processing Standards)
What is FIPS?
Federal Information Processing Standards (FIPS) are federal standards for computer systems used by contractors of government agencies and non-military government agencies.
FIPS 140-2 is a specific federal government security standard used to approve cryptographic modules. Chef Automate uses the OpenSSL FIPS Object Module, which satisfies the requirements of software cryptographic modules under the FIPS 140-2 standard. The OpenSSL Object Module provides an API for invoking FIPS approved cryptographic functions from calling applications.
Who should enable FIPS?
You may be legally required to enable FIPS if you are a United States non-military government agency, or are contracting with one. If you are not sure if you need to enable FIPS, please check with your compliance department.
Who shouldn’t enable FIPS?
You will only need to enable FIPS if you are a US non-military government agency, or contracting with one, and you are contractually obligated to meet federal government security standards. If you are not a US non-military governmental agency, or you are not contracting with one, and you are not contractually obligated to meet federal government security standards, then do not enable FIPS. Chef products have robust security standards even without FIPS, and FIPS prevents the use of certain hashing algorithms you might want to use, so we only recommend enabling FIPS if it is contractually necessary.
FIPS mode is not supported for Chef Infra Server add-ons. This includes:
- Chef Manage
- Push Jobs
How to enable FIPS mode in the Operating System
FIPS kernel settings
Windows and Red Hat Enterprise Linux can both be configured for FIPS mode using a kernel-level setting. After FIPS mode is enabled at the kernel level, the operating system will only use FIPS approved algorithms and keys during operation.
All of the tools Chef produces that have FIPS support read this kernel
setting and default their mode of operation to match it with the
exception of the workstation, which requires designating a port in the
fips_git_port setting of the
cli.toml. For the other Chef tools,
Chef Infra Client, for example, if
chef-client is run on an operating
system configured into FIPS mode and you run, that Chef run will
automatically be in FIPS mode unless the user disables it.
To enable FIPS on your platform follow these instructions:
How to enable FIPS mode for the Chef Infra Server
- Supported Systems - CentOS or Red Hat Enterprise Linux 6 or greater
- Chef Infra Server version 12.13.0 or greater
If you have FIPS compliance enabled at the kernel level and install or reconfigure the Chef Infra Server then it will default to running in FIPS mode.
To enable FIPS manually for the Chef Infra Server, can add
/etc/opscode/chef-server.rb and reconfigure. For more
configuration information see Chef
How to enable FIPS mode for the Chef Infra Client
- Supported Systems - CentOS, Oracle Linux, or Red Hat Enterprise Linux 6 or later
If you have FIPS compliance enabled at the kernel level then Chef Infra
Client will default to running in FIPS mode. Otherwise you can add
fips true to the
Bootstrap a node using FIPS
knife bootstrap 192.0.2.0 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips
which shows something similar to:
OpenSSL FIPS 140 mode enabled ... 192.0.2.0 Chef Infra Client finished, 12/12 resources updated in 78.942455583 seconds