Docs Self-Managed Manage Security FIPS Compliance This is documentation for Self-Managed v24.2. To view the latest available version of the docs, see v24.3. Configure Redpanda for FIPS Redpanda provides FIPS-compliant cipher enforcement for brokers using OpenSSL 3.0.9, which is validated for 140-2 and is undergoing validation by NIST for 140-3. Both Redpanda and rpk leverage validated OpenSSL libraries for all security-related cryptography operations. This feature requires an Enterprise license for self-managed deployments. To upgrade, contact Redpanda sales. Redpanda is not fully FIPS-compliant when used with the Redpanda Helm chart and Operator in a Kubernetes deployment. To check if you already have a license key applied to your cluster: rpk cluster license info Prerequisites Before configuring brokers to run in FIPS compliance mode (FIPS mode), check to make sure the redpanda-rpk-fips and redpanda-fips packages are installed. These packages are required by both the redpanda and redpanda-tuners install packages. Configure FIPS When you configure a broker to run in FIPS mode: FIPS compliance is enforced immediately upon the startup of Redpanda. Redpanda and its dependencies only use FIPS-validated cryptographic modules for all cryptographic algorithms used in a security context. Redpanda logs an error and exits immediately if: The underlying operating system and crypto module are not running in FIPS mode. The underlying cryptography module enters into an error state. It cannot detect a FIPS-validated library. To place a broker in FIPS compliance mode, enable fips_mode in the Redpanda broker configuration file (typically located in /etc/redpanda/redpanda.yaml). All fields are within the redpanda object: redpanda: # .... fips_mode: enabled Available fips_mode values are: disabled: Redpanda is not running in FIPS compliance mode. enabled: When Redpanda starts up, it looks for a value of 1 in the file /proc/sys/crypto/fips_enabled. If the file doesn’t exist or doesn’t contain 1, Redpanda logs an error and exits immediately. permissive: This setting is a safety value option only, and should not be used in a production environment. If specified, Redpanda logs a WARNING, but continues operations even if the underlying operating system is not configured for FIPS. If set, your Redpanda instance is not running in FIPS compliance mode. FIPS OpenSSL configuration You must specify the following SSL configurations for brokers you want to run in FIPS compliance mode: openssl_config_file: Specifies the path to the OpenSSL configuration file that was created as part of the redpanda-fips package installation. This file is used when OpenSSL is initialized to find the fipsmodule.cnf file that was created by the openssl fipsinstall command. Typically, this value should be /opt/redpanda/openssl/openssl.cnf. openssl_module_directory: Specifies the path to the directory that contains the fips.so cryptographic provider. Typically, this value should be: /opt/redpanda/lib/ossl-modules/. The following configuration starts Redpanda in FIPS mode: redpanda: # .... fips_mode: enabled openssl_config_file: /opt/redpanda/openssl/openssl.cnf openssl_module_directory: /opt/redpanda/lib/ossl-modules/ Suggested reading Install Redpanda for FIPS Compliance OpenSSL FIPS Readme OpenSSL fips_module OpenSSL FIPS Security Policy Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Role-Based Access Control Configure Kafka TLS Encryption