Configuring FIPS Mode in Oracle Linux 8

FIPS mode can be configured during the initial installation of Oracle Linux 8 or after installation, as described in the following sections.

Installing Oracle Linux 8 in FIPS Mode

Add fips=1 to the kernel command line during system installation to automatically configure a new Oracle Linux 8 system to run in FIPS mode from the first boot.

The main benefit of setting FIPS mode during the installation stage is that Oracle Linux 8 generates all system keys by using FIPS compliant algorithms and continuous monitoring tests.

To verify that FIPS mode is enabled, run the following command after Oracle Linux 8 has been installed: 

sudo fips-mode-setup --check

Note:

The method for enabling and disabling FIPS mode in this release has changed significantly from the method that was used in previous Oracle Linux releases. In particular, the dracut-fips package no longer exists and doesn't need to be enabled on Oracle Linux 8. Also, you no longer need to edit the GRUB configuration file.

Enabling and Disabling FIPS Mode for Existing Oracle Linux 8 Installations

You can configure a preexisting Oracle Linux 8 installation to run in FIPS mode by using the fips-mode-setup utility, which changes the system-wide cryptographic policy, installs the FIPS dracut module, regenerates the system ramdisk, and updates the kernel boot parameters.

Note:

To enable FIPS mode in Oracle Linux containers, see the Managing Containers chapter in the Oracle Linux: Podman User's Guide.

  1. Enable FIPS mode:

    sudo fips-mode-setup --enable

    The following output is displayed:

    Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.

    You must reboot the system for the setting to take effect.

    Note:

    Running the previous command configures FIPS mode implicitly by setting the system-wide cryptographic policy to FIPS. Note that using the update-crypto-policies command to set FIPS mode isn't enough, as shown in the following output: 

    sudo update-crypto-policies --set FIPS

    The following output is displayed: 

    Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for FIPS compliance.
Use 'fips-mode-setup --enable' command instead.

  2. Verify that FIPS mode has been enabled correctly:

    sudo fips-mode-setup --check

    The following output is displayed:

    FIPS mode is enabled.

  3. To disable FIPS mode:

    sudo fips-mode-setup --disable

    The following output is displayed:

    Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be disabled.
Please reboot the system for the setting to take effect.

    You must reboot the system for the setting to take effect.

For more information, see the fips-mode-setup(8) manual pages.