Are there any FIPS-140-2 certified solutions for Linux? [closed]

I'm not even 100% certain what this involves, but my current understanding is this:

  • use of only approved cryptographic algorithms for network traffic (easy, we use SSL and lock down the algorithms to only the really strong ones).

  • Some form of physical data protection, involving disk encryption and physical tamper evident packaging.

Obviously we're on our own if we need a tamper-proof product. But what about software for encrpytion. My guess is just using LUKS (although secure) will not be certified because it's open source (gov't seems a bit biased towards proprietary solutions here).

Guardian Edge was mentioned by someone, but that appears to be complete Windows-based. So we need something like it, certified FIPS-140 compliant we can use on Linux.


Solution 1:

OpenSSL got FIPS-140-2 certified a while ago; it requires you to use a particular version and build of OpenSSL, but if you really need the certification, then you're probably up the creek in a variety of other ways, too.

See http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf for all the gory details.

Solution 2:

Red Hat Enterprise Linux 5 (and soon 6) have a number of FIPS 140-2 certified modules:

http://www.redhat.com/solutions/industry/government/certifications.html

Solution 3:

OpenSSL is currently compliant only for version 1.2 on OpenSUSE 10.2 compiled with the gcc compiler 4.1.2 per the NIST documentation! With the increasing regulatory and compliance environment (HIPAA, SOX, PCI, FTC Red Flag, etc, etc), it's absolutely essential that more open source efforts receive the required review for this, and soon. There are plenty of small organizations out there (like ours) that rely on open source products like OpenSSL, TrueCrypt and GPG -- projects that use established, vetted encryption schemes and evolve as new ones become available. FIPS 140-2 is on its way to becoming the de facto standard for all regulated environments, not just government, and they need to certify more programs that are within the reach of the increasing number of smaller organizations that are subject to the standard.

To answer your question, outside of OpenSSL, no! :)

Solution 4:

As of April 2013, Red Hat has achieved FIPS 140-2 certification for the OpenSSL and NSS implementations of the SSL/TLS protocol libraries as well as its integration in a number of applications like OpenSSH and Openswan (IPSec daemons).