# Configure Redpanda for FIPS

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Configure Redpanda for FIPS
latest-redpanda-tag: v26.1.9
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "false"
page-eol-date: March 31, 2027
latest-connect-version: 4.93.0
docname: security/fips-compliance
page-component-name: streaming
page-version: "26.1"
page-component-version: "26.1"
page-component-title: Streaming
page-relative-src-path: security/fips-compliance.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/main/modules/manage/pages/security/fips-compliance.adoc
description: Configure Redpanda to operate in FIPS-compliant mode.
page-topic-type: how-to
personas: platform_operator
learning-objective-1: Configure a Redpanda broker to run in FIPS-compliant mode
learning-objective-2: Set the required OpenSSL properties for FIPS mode
learning-objective-3: Deploy Redpanda in FIPS-compliant mode using Docker
page-git-created-date: "2024-07-31"
page-git-modified-date: "2026-03-31"
support-status: supported
---

<!-- Source: https://docs.redpanda.com/streaming/current/manage/security/fips-compliance.md -->

Redpanda provides Federal Information Processing Standards (FIPS)-compliant cipher enforcement for brokers using a [FIPS 140-3](https://csrc.nist.gov/pubs/fips/140-3/final)\-validated OpenSSL cryptographic module. Redpanda and `rpk` both use the OpenSSL library for security-related cryptographic operations.

After reading this page, you will be able to:

-   Configure a Redpanda broker to run in FIPS-compliant mode

-   Set the required OpenSSL properties for FIPS mode

-   Deploy Redpanda in FIPS-compliant mode using Docker


> 📝 **NOTE**
>
> This feature requires an [enterprise license](https://docs.redpanda.com/streaming/current/get-started/licensing/). To get a trial license key or extend your trial period, [generate a new trial license key](https://redpanda.com/try-enterprise). To purchase a license, contact [Redpanda Sales](https://redpanda.com/upgrade).
>
> If Redpanda has enterprise features enabled and it cannot find a valid license, [restrictions](https://docs.redpanda.com/streaming/current/get-started/licensing/#self-managed) apply.

To check if you already have a license key applied to your cluster:

```bash
rpk cluster license info
```

## [](#prerequisites)Prerequisites

Before configuring brokers to run in FIPS mode on Linux, install the `redpanda-rpk-fips` and `redpanda-fips` [packages](https://docs.redpanda.com/streaming/current/deploy/redpanda/manual/production/production-deployment/#install-redpanda-for-fips-compliance).

For Docker deployments, use the FIPS-specific image instead: `docker.redpanda.com/redpandadata/redpanda:<version>-fips`.

> ⚠️ **WARNING**
>
> Before upgrading to Redpanda 26.1 with FIPS mode enabled, change any SASL/SCRAM user passwords shorter than 14 characters to at least 14 characters. FIPS 140-3 enforces stricter HMAC key size requirements than FIPS 140-2. Because Redpanda stores passwords in encrypted form, it cannot check the length of existing passwords. Clients with passwords shorter than 14 characters will fail to authenticate after the upgrade.

## [](#limitations)Limitations

-   Redpanda FIPS mode requires a FIPS-enabled host when deployed with the Redpanda Helm chart or Operator.

-   Redpanda Console is not FIPS-compliant.

-   Redpanda does not support PKCS#12 keys for [TLS encryption](https://docs.redpanda.com/streaming/current/manage/security/encryption/) when FIPS mode is enabled. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode with TLS enabled, configure your certificates and keys in PEM format instead.

-   When FIPS mode is `enabled` or `permissive`, SASL/SCRAM passwords must be at least 14 characters.


## [](#configure-fips-mode)Configure FIPS mode

When you configure a broker to run in FIPS mode:

-   Redpanda enforces FIPS compliance _immediately_ on startup.

-   Redpanda and its dependencies only use FIPS-validated cryptographic modules for all cryptographic algorithms used in a security context.


Redpanda logs an error and exits immediately if:

-   The underlying operating system and crypto module are not running in FIPS mode.

-   The underlying cryptography module enters into an error state.

-   It cannot detect a FIPS-validated library.


To place a broker in FIPS-compliant mode, enable [`fips_mode`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#fips_mode) in the Redpanda broker configuration file (typically located in `/etc/redpanda/redpanda.yaml`). All fields are within the `redpanda` object:

```yaml
redpanda:
  # ....
  fips_mode: enabled
```

Available `fips_mode` values are:

-   `disabled`: Redpanda is not running in FIPS-compliant mode.

-   `enabled`: When Redpanda starts up, it looks for a value of `1` in the file `/proc/sys/crypto/fips_enabled`. If the file doesn’t exist or doesn’t contain `1`, Redpanda logs an error and exits immediately.

-   `permissive`: This setting is a safety value option only. Do not use it in a production environment. If specified, Redpanda logs a WARNING, but continues operations even if the underlying operating system is not configured for FIPS. If set, your Redpanda instance is _not_ running in FIPS-compliant mode.


You must also configure OpenSSL properties for FIPS mode.

### [](#fips-openssl-configuration)FIPS OpenSSL configuration

You must specify the following SSL configurations for brokers you want to run in FIPS-compliant mode:

-   [`openssl_config_file`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#openssl_config_file): Specifies the path to the OpenSSL configuration file created during `redpanda-fips` package installation. OpenSSL uses this file during initialization to find the `fipsmodule.cnf` file that `openssl fipsinstall` creates. Typically, this value is `/opt/redpanda/openssl/openssl.cnf`.

-   [`openssl_module_directory`](https://docs.redpanda.com/streaming/current/reference/properties/broker-properties/#openssl_module_directory): Specifies the path to the directory that contains the `fips.so` cryptographic provider. Typically, this value is: `/opt/redpanda/lib/ossl-modules/`.

    The following configuration starts Redpanda in FIPS mode:

    ```yaml
    redpanda:
      # ....
      fips_mode: enabled
      openssl_config_file: /opt/redpanda/openssl/openssl.cnf
      openssl_module_directory: /opt/redpanda/lib/ossl-modules/
    ```


## [](#configure-fips-mode-with-docker)Configure FIPS mode with Docker

The Redpanda FIPS Docker image (`docker.redpanda.com/redpandadata/redpanda:<version>-fips`) is available for `amd64` and `arm64` architectures. The image includes the required OpenSSL files, pre-configured.

Pass the FIPS broker configuration to the container the same way as any other Redpanda Docker deployment: either by mounting a configuration file or by passing settings as flags.

### Mount a configuration file

1.  Create a `redpanda.yaml` with the required FIPS settings:

    ```yaml
    redpanda:
      fips_mode: enabled
      openssl_config_file: /opt/redpanda/openssl/openssl.cnf
      openssl_module_directory: /opt/redpanda/lib/ossl-modules/
    ```

2.  Mount the file when starting the container:

    ```bash
    docker run -d \
      --name=redpanda \
      -p 9092:9092 \
      -p 9644:9644 \
      -v /path/to/redpanda.yaml:/etc/redpanda/redpanda.yaml \
      docker.redpanda.com/redpandadata/redpanda:<version>-fips \
      redpanda start --overprovisioned --smp 1
    ```

### Pass settings as flags

Pass the FIPS settings directly to `redpanda start`:

```bash
docker run -d \
  --name=redpanda \
  -p 9092:9092 \
  -p 9644:9644 \
  docker.redpanda.com/redpandadata/redpanda:<version>-fips \
  redpanda start --overprovisioned --smp 1 \
    --set redpanda.fips_mode=enabled \
    --set redpanda.openssl_config_file=/opt/redpanda/openssl/openssl.cnf \
    --set redpanda.openssl_module_directory=/opt/redpanda/lib/ossl-modules/
```

## [](#next-steps)Next steps

-   [Install Redpanda for FIPS Compliance](https://docs.redpanda.com/streaming/current/deploy/redpanda/manual/production/production-deployment/#install-redpanda-for-fips-compliance)

-   [OpenSSL FIPS Readme](https://github.com/openssl/openssl/blob/master/README-FIPS.md)