Appendix D. Enabling FIPS in Red Hat Virtualization
You can set up Red Hat Virtualization to be compliant with the Federal Information Processing Standard (FIPS), specifically FIPS 140-2. You can enable FIPS mode selectively, on specific virtual machines, bare metal machines, or across your entire environment, based on your organization’s FIPS compliance requirements.
You can create a FIPS-enabled bare metal machine in RHV 4.4 by either installing the operating system in FIPS mode, or by switching the system into FIPS mode after installing the operating system. However, you must switch to FIPS mode before installing and configuring Red Hat Virtualization to avoid introducing system conflicts.
Red Hat recommends installing Red Hat Enterprise Linux 8 with FIPS mode enabled as opposed to enabling FIPS mode later. Enabling FIPS mode during the installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
You enable FIPS first on each bare metal machine, and then in the Manager.
D.1. Enabling FIPS in a self-hosted engine
You can enable FIPS in a self-hosted engine during deployment when using the command-line.
- Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
When the deployment script prompts
Do you want to apply a default OpenSCAP security profile?, enter
Follow the on-screen instructions to select
VPP - Protection Profile for Virtualization 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH).
Verify that FIPS is enabled by entering the command
fips-mode-setup --check on the host. The command should return
FIPS mode is enabled:
# fips-mode-setup --check FIPS mode is enabled.