Enable FIPS mode LUKS file systems with aes-xts-plain64

Latest response

We've Kickstart built several RHEL7 systems using the default Anaconda encryption aes-xts-plain64 as shown below.

part /boot --fstype="xfs" --asprimary --ondisk=sda --size=500
part pv.00 --fstype="lvmpv" --ondisk=sda --grow --encrypted --passphrase='supersecretpassword'
part pv.01 --fstype="lvmpv" --ondisk=sdb --grow --encrypted --passphrase='supersecretpassword'

Then, we've followed procedure outlined https://access.redhat.com/solutions/256833 to get the systems to boot without having to supply a LUKS password.

When we enable FIPS mode, we are unable to boot the system anymore without taking the system back out of FIPS mode.

From what I can tell, aes-xts-plain64 might be the problem unsupported by FIPS.

Is there some procedure we can follow to get FIPS with aes-xts-plain64 to work with LUKS without going to extremes like outlined https://access.redhat.com/solutions/1162843 using the cryptsetup-reencrypt command?

Additionally, we have RHEL7 Kickstart built servers successfully running in FIPS mode without having followed the procedure to boot without supplying LUKS password.

I see issues with FIPS and LUKS addressed for RHEL6 but nothing for RHEL7.

Additional question, will Kickstart RHEL7 rebuilds using aes-cbc-essiv:sha256 solve the FIPS issue we are having?

part /boot --fstype="xfs" --asprimary --ondisk=sda --size=500
part pv.00 --fstype="lvmpv" --ondisk=sda --grow --encrypted --cipher=aes-cbc-essiv:sha256 --passphrase='supersecretpassword'
part pv.01 --fstype="lvmpv" --ondisk=sdb --grow --encrypted --cipher=aes-cbc-essiv:sha256 --passphrase='supersecretpassword'

Thanks

Responses

FIPS is a harsh mistress: you can't force a non-compliant cryptography method be compatible with FIPS. Your best bet is to ensure that you're using a FIPS-compatible encryption option (for new systems). If you've got existing data on an incompatibly-crypted volume, you're just going to have to suck it up and transfer the data from that volume to a new volume (or skip trying to use FIPS).

Hi Lyle. I authored both of the articles you linked as well as virtually every LUKS & FIPS howto article we have on the Portal (categorized here under "dm-crypt/LUKS, ecryptfs" and "FIPS").

I'm surprised you're having trouble. I would expect the default Anaconda-chosen LUKS cipher to cause no problems in FIPS mode. That said, if you're concerned with FIPS, you really should be booting the installer with fips=1. Take a look at the end of this comment I just posted to someone else.

Hey Ryan. We've had "fun" trying to use FIPS elsewhere in our infrastructure. We attempted to implement PAM pam_ssh_agent_auth CAC authentication for sudo elsewhere in our infrastructure. It worked fine until we turned on FIPS. There is a direct conflict there somewhere.

Our IDM server we recently built worked fine until we turned on FIPS. The latest Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-en-US.pdf now indicates IDM cannot be run in FIPS mode.

In our case above, we discovered the autoboot problem was FIPS related but not FIPS per se.

It's important to know if the system you are working on is built UEFI or BIOS so the boot=/dev/sda? entry you also have to add to the command line is pointing at the correct location to boot. Strangely, when set FIPS=0, the boot=/dev/sda? entry appears to get ignored and the system was booting properly. Because we've had so much "fun" with FIPS elsewhere, it was easy to assume the problem was with default aes-xts-plain64.

I do have a LUKS question on the autoboot procedure. If there are multiple keys added to LUKS device with luksAddKey, how is that key list being interrogated during the autoboot process to match the .keyfile? It looks like only the last key entered is being matched against the entry in .keyfile. We observed this when an incorrect key was added and the system dropped to the LUKS prompt at boot. The problem disappeared when we blew away the bad key with luksKillSlot.

Also, anything you could point me at to address our FIPS and PAM issue would be extremely helpful.

Thanks

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.