# Configure Redpanda for FIPS > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt) --- title: Configure Redpanda for FIPS latest-redpanda-tag: v25.3.11 latest-console-tag: v3.7.3 latest-operator-version: v26.1.4 # EOL = End-of-Life (support lifecycle status) page-is-nearing-eol: "false" page-is-past-eol: "false" page-eol-date: November 19, 2026 latest-connect-version: 4.93.0 docname: security/fips-compliance page-component-name: streaming page-version: "25.3" page-component-version: "25.3" page-component-title: Streaming page-relative-src-path: security/fips-compliance.adoc page-edit-url: https://github.com/redpanda-data/docs/edit/v/25.3/modules/manage/pages/security/fips-compliance.adoc description: Configure Redpanda to operate in FIPS compliance mode. page-git-created-date: "2024-07-31" page-git-modified-date: "2025-05-05" support-status: supported --- Redpanda provides FIPS-compliant cipher enforcement for brokers using OpenSSL 3.0.9, which is [validated](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282) for [140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) and is undergoing validation by NIST for [140-3](https://csrc.nist.gov/pubs/fips/140-3/final). Both Redpanda and `rpk` leverage validated OpenSSL libraries for all security-related cryptography operations. > 📝 **NOTE** > > This feature requires an [enterprise license](https://docs.redpanda.com/streaming/25.3/get-started/licensing/). To get a trial license key or extend your trial period, [generate a new trial license key](https://redpanda.com/try-enterprise). To purchase a license, contact [Redpanda Sales](https://redpanda.com/upgrade). > > If Redpanda has enterprise features enabled and it cannot find a valid license, [restrictions](https://docs.redpanda.com/streaming/25.3/get-started/licensing/#self-managed) apply. To check if you already have a license key applied to your cluster: ```bash rpk cluster license info ``` ## [](#prerequisites)Prerequisites Before configuring brokers to run in FIPS compliance mode (FIPS mode), check to make sure the `redpanda-rpk-fips` and `redpanda-fips` packages are [installed](https://docs.redpanda.com/streaming/25.3/deploy/redpanda/manual/production/production-deployment/#install-redpanda-for-fips-compliance). These packages are required by both the `redpanda` and `redpanda-tuner` install packages. ## [](#limitations)Limitations - Redpanda is not fully FIPS-compliant when used with the Redpanda Helm chart and Operator in a Kubernetes deployment. - Redpanda Console is not FIPS-compliant. - PKCS#12 keys for [TLS encryption](https://docs.redpanda.com/streaming/25.3/manage/security/encryption/) are not supported when FIPS mode is enabled in Redpanda. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode with TLS enabled, configure your certificates and keys in PEM format instead. ## [](#configure-fips-mode)Configure FIPS mode When you configure a broker to run in FIPS mode: - FIPS compliance is enforced _immediately_ upon the startup of Redpanda. - Redpanda and its dependencies only use FIPS-validated cryptographic modules for all cryptographic algorithms used in a security context. Redpanda logs an error and exits immediately if: - The underlying operating system and crypto module are not running in FIPS mode. - The underlying cryptography module enters into an error state. - It cannot detect a FIPS-validated library. To place a broker in FIPS compliance mode, enable [`fips_mode`](https://docs.redpanda.com/streaming/25.3/reference/properties/broker-properties/#fips_mode) in the Redpanda broker configuration file (typically located in `/etc/redpanda/redpanda.yaml`). All fields are within the `redpanda` object: ```yaml redpanda: # .... fips_mode: enabled ``` Available `fips_mode` values are: - `disabled`: Redpanda is not running in FIPS compliance mode. - `enabled`: When Redpanda starts up, it looks for a value of `1` in the file `/proc/sys/crypto/fips_enabled`. If the file doesn’t exist or doesn’t contain `1`, Redpanda logs an error and exits immediately. - `permissive`: This setting is a safety value option only, and _should not be used in a production environment_. If specified, Redpanda logs a WARNING, but continues operations even if the underlying operating system is not configured for FIPS. If set, your Redpanda instance is _not_ running in FIPS compliance mode. ### [](#fips-openssl-configuration)FIPS OpenSSL configuration You must specify the following SSL configurations for brokers you want to run in FIPS compliance mode: - [`openssl_config_file`](https://docs.redpanda.com/streaming/25.3/reference/properties/broker-properties/#openssl_config_file): Specifies the path to the OpenSSL configuration file that was created as part of the `redpanda-fips` package installation. This file is used when OpenSSL is initialized to find the `fipsmodule.cnf` file that was created by the `openssl fipsinstall` command. Typically, this value should be `/opt/redpanda/openssl/openssl.cnf`. - [`openssl_module_directory`](https://docs.redpanda.com/streaming/25.3/reference/properties/broker-properties/#openssl_module_directory): Specifies the path to the directory that contains the `fips.so` cryptographic provider. Typically, this value should be: `/opt/redpanda/lib/ossl-modules/`. The following configuration starts Redpanda in FIPS mode: ```yaml redpanda: # .... fips_mode: enabled openssl_config_file: /opt/redpanda/openssl/openssl.cnf openssl_module_directory: /opt/redpanda/lib/ossl-modules/ ``` ## [](#suggested-reading)Suggested reading - [Install Redpanda for FIPS Compliance](https://docs.redpanda.com/streaming/25.3/deploy/redpanda/manual/production/production-deployment/#install-redpanda-for-fips-compliance) - [OpenSSL FIPS Readme](https://github.com/openssl/openssl/blob/openssl-3.0.9/README-FIPS.md) - [OpenSSL fips\_module](https://www.openssl.org/docs/man3.0/man7/fips_module.html) - [OpenSSL FIPS Security Policy](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf)