Chapter 3. Installing a RHEL 8 system with FIPS mode enabled
To enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) Publication 140-2, you have to operate RHEL 8 in FIPS mode.
You can achieve this by:
- Starting the installation in FIPS mode.
- Switching the system into FIPS mode after the installation.
To avoid cryptographic key material regeneration and reevaluation of the compliance of the resulting system associated with converting already deployed systems, Red Hat recommends starting the installation in FIPS mode.
3.1. Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard developed by the U.S. Government and industry working group to validate the quality of cryptographic modules. See the official FIPS publications at NIST Computer Security Resource Center.
The FIPS 140-2 standard ensures that cryptographic tools implement their algorithms correctly. One of the mechanisms for that is runtime self-checks. See the full FIPS 140-2 standard at FIPS PUB 140-2 for further details and other specifications of the FIPS standard.
To learn about compliance requirements, see the Red Hat Government Standards page.
3.2. Installing the system with FIPS mode enabled
To enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) Publication 140-2, enable FIPS mode during the system installation.
Red Hat recommends installing Red Hat Enterprise Linux 8 with FIPS mode enabled, as opposed to enabling FIPS mode later. Enabling FIPS mode during the installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
fips=1option to the kernel command line during the system installation.
During the software selection stage, do not install any third-party software.
After the installation, the system starts in FIPS mode automatically.
After the system starts, check that FIPS mode is enabled:
$ fips-mode-setup --check FIPS mode is enabled.