Enable FIPS mode LUKS file systems with aes-xts-plain64
We've Kickstart built several RHEL7 systems using the default Anaconda encryption aes-xts-plain64 as shown below.
part /boot --fstype="xfs" --asprimary --ondisk=sda --size=500
part pv.00 --fstype="lvmpv" --ondisk=sda --grow --encrypted --passphrase='supersecretpassword'
part pv.01 --fstype="lvmpv" --ondisk=sdb --grow --encrypted --passphrase='supersecretpassword'
Then, we've followed procedure outlined https://access.redhat.com/solutions/256833 to get the systems to boot without having to supply a LUKS password.
When we enable FIPS mode, we are unable to boot the system anymore without taking the system back out of FIPS mode.
From what I can tell, aes-xts-plain64 might be the problem unsupported by FIPS.
Is there some procedure we can follow to get FIPS with aes-xts-plain64 to work with LUKS without going to extremes like outlined https://access.redhat.com/solutions/1162843 using the cryptsetup-reencrypt command?
Additionally, we have RHEL7 Kickstart built servers successfully running in FIPS mode without having followed the procedure to boot without supplying LUKS password.
I see issues with FIPS and LUKS addressed for RHEL6 but nothing for RHEL7.
Additional question, will Kickstart RHEL7 rebuilds using aes-cbc-essiv:sha256 solve the FIPS issue we are having?
part /boot --fstype="xfs" --asprimary --ondisk=sda --size=500
part pv.00 --fstype="lvmpv" --ondisk=sda --grow --encrypted --cipher=aes-cbc-essiv:sha256 --passphrase='supersecretpassword'
part pv.01 --fstype="lvmpv" --ondisk=sdb --grow --encrypted --cipher=aes-cbc-essiv:sha256 --passphrase='supersecretpassword'
Thanks
Responses
FIPS is a harsh mistress: you can't force a non-compliant cryptography method be compatible with FIPS. Your best bet is to ensure that you're using a FIPS-compatible encryption option (for new systems). If you've got existing data on an incompatibly-crypted volume, you're just going to have to suck it up and transfer the data from that volume to a new volume (or skip trying to use FIPS).
Hi Lyle. I authored both of the articles you linked as well as virtually every LUKS & FIPS howto article we have on the Portal (categorized here under "dm-crypt/LUKS, ecryptfs" and "FIPS").
I'm surprised you're having trouble. I would expect the default Anaconda-chosen LUKS cipher to cause no problems in FIPS mode. That said, if you're concerned with FIPS, you really should be booting the installer with fips=1. Take a look at the end of this comment I just posted to someone else.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
