Configure Redpanda for FIPS

Redpanda provides FIPS-compliant cipher enforcement for brokers using OpenSSL 3.0.9, which is validated for 140-2 and is undergoing validation by NIST for 140-3. Both Redpanda and rpk leverage validated OpenSSL libraries for all security-related cryptography operations.

This feature requires an enterprise license. To get a trial license key or extend your trial period, generate a new trial license key. To purchase a license, contact Redpanda Sales.

If Redpanda has enterprise features enabled and it cannot find a valid license, restrictions apply.

To check if you already have a license key applied to your cluster:

rpk cluster license info

Prerequisites

Before configuring brokers to run in FIPS compliance mode (FIPS mode), check to make sure the redpanda-rpk-fips and redpanda-fips packages are installed. These packages are required by both the redpanda and redpanda-tuners install packages.

Limitations

  • Redpanda is not fully FIPS-compliant when used with the Redpanda Helm chart and Operator in a Kubernetes deployment.

  • Redpanda Console is not FIPS-compliant.

  • PKCS#12 keys for TLS encryption are not supported when FIPS mode is enabled in Redpanda. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode with TLS enabled, configure your certificates and keys in PEM format instead.

Configure FIPS mode

When you configure a broker to run in FIPS mode:

  • FIPS compliance is enforced immediately upon the startup of Redpanda.

  • Redpanda and its dependencies only use FIPS-validated cryptographic modules for all cryptographic algorithms used in a security context.

Redpanda logs an error and exits immediately if:

  • The underlying operating system and crypto module are not running in FIPS mode.

  • The underlying cryptography module enters into an error state.

  • It cannot detect a FIPS-validated library.

To place a broker in FIPS compliance mode, enable fips_mode in the Redpanda broker configuration file (typically located in /etc/redpanda/redpanda.yaml). All fields are within the redpanda object:

redpanda:
  # ....
  fips_mode: enabled

Available fips_mode values are:

  • disabled: Redpanda is not running in FIPS compliance mode.

  • enabled: When Redpanda starts up, it looks for a value of 1 in the file /proc/sys/crypto/fips_enabled. If the file doesn’t exist or doesn’t contain 1, Redpanda logs an error and exits immediately.

  • permissive: This setting is a safety value option only, and should not be used in a production environment. If specified, Redpanda logs a WARNING, but continues operations even if the underlying operating system is not configured for FIPS. If set, your Redpanda instance is not running in FIPS compliance mode.

FIPS OpenSSL configuration

You must specify the following SSL configurations for brokers you want to run in FIPS compliance mode:

  • openssl_config_file: Specifies the path to the OpenSSL configuration file that was created as part of the redpanda-fips package installation. This file is used when OpenSSL is initialized to find the fipsmodule.cnf file that was created by the openssl fipsinstall command. Typically, this value should be /opt/redpanda/openssl/openssl.cnf.

  • openssl_module_directory: Specifies the path to the directory that contains the fips.so cryptographic provider. Typically, this value should be: /opt/redpanda/lib/ossl-modules/.

    The following configuration starts Redpanda in FIPS mode:

    redpanda:
      # ....
      fips_mode: enabled
      openssl_config_file: /opt/redpanda/openssl/openssl.cnf
      openssl_module_directory: /opt/redpanda/lib/ossl-modules/