Enable FIPS 140-2 Mode on Amazon Linux 2

The Federal Information Processing Standard (FIPS) 140-2 specifies the security requirements for cryptography used in the US Federal Government systems. This standard has been adopted by other organizations such as the Canadian Government, PCI, and many other highly regulated industries. FIPS 140-2 consists of multiple levels combining software and hardware validation. In this post, we will be focusing on a Software Only implementation.

FIPS 140-2 essentially defines a set of validated cryptography functions that can be used for encrypting data in transit such as TLS or SSH. In virtual environments, this is typically achieved by placing the virtual machine in “FIPS mode” and leveraging validated modules for OpenSSL and OpenSSH. You can find a list of validated modules on the NIST website.

FIPS 140-2 is not required by FedRAMP by the letter of the controls but is required by most auditors and Federal agencies in order to run systems in production. For example, most AWS Services offer a FIPS 140-2 compliant endpoint.

Note: Amazon Linux 2 is not fully validated by NIST and does not have an approved Security Technical Implmenetation Guide (STIG) at the time writing.

The way to easily think about FIPS 140-2 is in two layers:

• Software packages used by applications to generate certificates such as OpenSSL, OpenSSH, etc.
• Kernel mode enabled to enforce that only FIPS 140-2 compliant crypto is used.

For most application developers or cloud engineers, modifying the grub is something is done late at night trying to diagnose an issue and gets a little scary. However, many operating systems such as CentOS, Red Hat Enterprise Linux 7, and Amazon Linux make this easy to enable.

FIPS 140-2 Validation Status

Amazon Linux 2 is currently undergoing validation for the following modules. The latest information can be found on the NIST FIPS 140-2 Validation Program website. On the site you can search for the validated modules and modules that are still in progress.

Enabling FIPS 140-2 on Amazon Linux 2

Enabling support for FIPS within Amazon Linux 2 can easily be done during the AMI build for your virtual machine using Packer or AWS EC2 Instance Builder.

# ensure the operating system is up to date
sudo yum update -y

# install and enable fips modules
sudo yum install -y dracut-fips openssl
sudo dracut -f

# edit /etc/default/grub to add fips=1 to GRUB_CMDLINE_LINUX_DEFAULT
sudo sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=.*\)"$/\1 fips=1"/' /etc/default/grub

# rebuild grub
sudo grub2-mkconfig -o /etc/grub2.cfg

# reboot the operating system
sudo reboot

Validate that FIPS has been properly enabled:

cat /proc/sys/crypto/fips_enabled # should be 1
sysctl crypto.fips_enabled # should be 1
openssl version # similar to OpenSSL 1.0.2k-fips  26 Jan 2017
openssl md5 /dev/null # should output an error that includes "disabled for fips"

Enabling FIPS 140-2 in an Amazon Linux 2 Container

More and more applications are being deployed with containers and it can be hard to figure out how to make your container FIPS 140-2 compliant. Below is an example of how to build and run your container using Docker on Amazon Linux 2.

First, you need to be running Docker on an Amazon Linux 2 host with FIPS enabled. Next, you need to build a container with the FIPS modules installed.

FROM amazonlinux:2
RUN yum update -y && yum install -y dracut-fips openssl

Now, we can run the container with /etc/system-fips mounted into the container. The /etc/system-fips file is a signal to other packages such as OpenSSL that FIPS is enabled.

docker container run -it \
  -v /etc/system-fips:/etc/system-fips \
  amazonlinux:2-fips /bin/bash

Conclusion

That’s it! You have now enabled FIPS 140-2 compliant cryptography in Amazon Linux 2 and inside of Amazon Linux 2 containers. Be sure to validate the modules that are installed are validated by NIST and approved for use by your Authorizing Agency.