Appendix D. Enabling FIPS in Red Hat Virtualization

You can set up Red Hat Virtualization to be compliant with the Federal Information Processing Standard (FIPS), specifically FIPS 140-2. You can enable FIPS mode selectively, on specific virtual machines, bare metal machines, or across your entire environment, based on your organization’s FIPS compliance requirements.

You can create a FIPS-enabled bare metal machine in RHV 4.4 by either installing the operating system in FIPS mode, or by switching the system into FIPS mode after installing the operating system. However, you must switch to FIPS mode before installing and configuring Red Hat Virtualization to avoid introducing system conflicts.

Important

Red Hat recommends installing Red Hat Enterprise Linux 8 with FIPS mode enabled as opposed to enabling FIPS mode later. Enabling FIPS mode during the installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.

You enable FIPS first on each bare metal machine, and then in the Manager.

D.1. Enabling FIPS in a self-hosted engine

You can enable FIPS in a self-hosted engine during deployment when using the command-line.

Procedure

  1. Start the self-hosted engine deployment script. See Installing Red Hat Virtualization as a self-hosted engine using the command line.
  2. When the deployment script prompts Do you want to apply a default OpenSCAP security profile?, enter Yes
  3. Follow the on-screen instructions to select VPP - Protection Profile for Virtualization 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH).

Verification

Verify that FIPS is enabled by entering the command fips-mode-setup --check on the host. The command should return FIPS mode is enabled:

# fips-mode-setup --check
FIPS mode is enabled.