Enabling FIPS mode in Amazon Linux 2

Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptographic modules that protect sensitive information. It is the current United States and Canadian government standard, and is applicable to systems that are required to be compliant with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP).

Industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) also depend on FIPS 140-2 certified cryptographic modules to protect cardholder data or sensitive authentication data during storage, processing and transmission.

Some cryptographic modules included in Amazon Linux 2 have been assessed by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP). The secure operation of these cryptographic modules, including OpenSSL, as well as the Open Secure Shell (OpenSSH) client and server modules are certified.

In this blog, we demonstrate how to enable FIPS mode in Amazon Linux 2 and verify that unauthorized cryptographic functions are not being used in OpenSSL or the OpenSSH server.

Walkthrough

The process of enabling FIPS mode requires you to install the FIPS module (dracut-fips) and adjust the operating system boot procedure to pass the appropriate flag at the start.

Prerequisites

For this walkthrough, you need to have:

• An AWS account.
• Existing AWS Amazon Linux 2 Amazon Elastic Compute Cloud (Amazon EC2) instance with access to the internet to download required packages.
• Access to the Amazon EC2 Linux via Secure Shell (SSH) or AWS Systems Manager Session Manager (Instructions can be found here).

Enabling FIPS mode

1. Log in to the Amazon Linux 2 Instance.

2. Update the Operating System (OS) packages to ensure the OS is up to date:

sudo yum update -y

3. Install and enable the FIPS module:

sudo yum install -y dracut-fips
sudo dracut -f

4. Enable FIPS mode by adding kernel argument:

sudo /sbin/grubby --update-kernel=ALL --args="fips=1"

5. Reboot the OS:

sudo reboot

Verify FIPS Mode is enabled

1. To verify that FIPS mode is enabled at the operating system level, enter the following command:

sysctl crypto.fips_enabled

The output of the previous step should be: crypto.fips_enabled = 1

If the response is not as shown above, please ensure steps 1-4 in “enabling FIPS mode” were correctly followed and that the system was rebooted.

2. Check the OpenSSL version and ensure it contains FIPS in the output:

openssl version

For example, the output may be “OpenSSL 1.0.2k-fips”.

3. To further verify that OpenSSL is configured correctly, attempt to execute OpenSSL with a non-FIPS validated algorithm such as Secure Hashing Algorithm (SHA). This should result in an error stating “Disabled for FIPS”.

openssl sha

Example output of this command:

139769536427936:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

4. To verify the OpenSSH server is using the intended FIPS mode:

ssh localhost 2>&1 | grep FIPS

The output should read: “FIPS mode initialized”.

Conclusion

By performing the steps above, you enabled FIPS mode for Amazon Linux 2. Important cryptographic modules should now meet federal compliance requirements associated with the mandated use of FIPS 140-2 validated cryptography. This should help you achieve compliance with relevant standards, or assist in your path to obtaining an Authority to Operate (ATO) on AWS. To learn more about ATO on AWS, including resources related to achieving FedRAMP compliance or finding an APN Partner to assist you, visit the Authority to Operate (ATO) on AWS page.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.