AWS Public Sector Blog

Enabling FIPS mode in Amazon Linux 2

Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. It is the current United States and Canadian government standard, and is applicable to systems that are required to be compliant with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP).

Industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) also depend on FIPS 140-2 certified cryptographic modules to protect cardholder data or sensitive authentication data during storage, processing and transmission.

Some cryptographic modules included in Amazon Linux 2 have been assessed by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). The secure operation of these cryptographic modules, including OpenSSL, as well as the Open Secure Shell (OpenSSH) client and server modules are certified.

In this blog, we demonstrate how to enable FIPS mode in Amazon Linux 2 and verify that unauthorized cryptographic functions are not being used in OpenSSL or the OpenSSH server.

Walkthrough

The process of enabling FIPS mode requires you to install the FIPS module (dracut-fips) and adjust the operating system boot procedure to pass the appropriate flag at the start.

Prerequisites

For this walkthrough, you need to have:

Enabling FIPS mode

1. Log in to the Amazon Linux 2 Instance.

2. Update the Operating System (OS) packages to ensure the OS is up to date:

sudo yum update -y

3. Install and enable the FIPS module:

sudo yum install -y dracut-fips
sudo dracut -f

4. Enable FIPS mode by adding kernel argument:

sudo /sbin/grubby --update-kernel=ALL --args="fips=1"

5. Reboot the OS:

sudo reboot

Verify FIPS Mode is enabled

1. To verify that FIPS mode is enabled at the operating system level, enter the following command:

sysctl crypto.fips_enabled

The output of the previous step should be: crypto.fips_enabled = 1

If the response is not as shown above, please ensure steps 1-4 in “enabling FIPS mode” were correctly followed and that the system was rebooted.

2. Check the OpenSSL version and ensure it contains FIPS in the output:

openssl version

For example, the output may be “OpenSSL 1.0.2k-fips”.

3. To further verify that OpenSSL is configured correctly, attempt to execute OpenSSL with a non-FIPS validated algorithm such as Secure Hashing Algorithm (SHA). This should result in an error stating “Disabled for FIPS”.

openssl sha

Example output of this command:

139769536427936:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

4. To verify the OpenSSH server is using the intended FIPS mode:

ssh localhost 2>&1 | grep FIPS

The output should read: “FIPS mode initialized”.

Conclusion

By performing the steps above, you enabled FIPS mode for Amazon Linux 2. Important cryptographic modules should now meet federal compliance requirements associated with the mandated use of FIPS 140-2 validated cryptography. This should help you achieve compliance with relevant standards, or assist in your path to obtaining an Authority to Operate (ATO) on AWS. To learn more about ATO on AWS, including resources related to achieving FedRAMP compliance or finding an APN Partner to assist you, visit the Authority to Operate (ATO) on AWS page.

Ashneet Gujral

Ashneet Gujral

Ashneet Gujral is a solutions architect for Amazon Web Services (AWS). He works with the ATO on AWS program to help customers achieve their compliance certifications quickly by exploring new technologies and secure them to meet the needs of the ever-changing security landscape. He is always up to new challenges and open to exploring any idea, regardless of how small or big they are.

James Armitage

James Armitage

James is a principal solutions architect and security specialist at Amazon Web Services (AWS), and is based in Vancouver, Canada. His primary focus is on helping public sector customers learn and apply best practices to their cloud journeys.