[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
2.6 How to enable the FIPS mode
Libgcrypt may be used in a FIPS 140-2 mode. Note, that this does not necessary mean that Libcgrypt is an appoved FIPS 140-2 module. Check the NIST database at http://csrc.nist.gov/groups/STM/cmvp/ to see what versions of Libgcrypt are approved.
Because FIPS 140 has certain restrictions on the use of cryptography which are not always wanted, Libgcrypt needs to be put into FIPS mode explicitly. Three alternative mechanisms are provided to switch Libgcrypt into this mode:
-
If the file ‘/proc/sys/crypto/fips_enabled’ exists and contains a
numeric value other than
0
, Libgcrypt is put into FIPS mode at initialization time. Obviously this works only on systems with aproc
file system (i.e. GNU/Linux). - If the file ‘/etc/gcrypt/fips_enabled’ exists, Libgcrypt is put into FIPS mode at initialization time. Note that this filename is hardwired and does not depend on any configuration options.
-
If the application requests FIPS mode using the control command
GCRYCTL_FORCE_FIPS_MODE
. This must be done prior to any initialization (i.e. beforegcry_check_version
).
In addition to the standard FIPS mode, Libgcrypt may also be put into
an Enforced FIPS mode by writing a non-zero value into the file
‘/etc/gcrypt/fips_enabled’ or by using the control command
GCRYCTL_SET_ENFORCED_FIPS_FLAG
before any other calls to
libgcrypt. The Enforced FIPS mode helps to detect applications
which don’t fulfill all requirements for using
Libgcrypt in FIPS mode (see section Description of the FIPS Mode).
Once Libgcrypt has been put into FIPS mode, it is not possible to switch back to standard mode without terminating the process first. If the logging verbosity level of Libgcrypt has been set to at least 2, the state transitions and the self-tests are logged.
[ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on February 9, 2014 using texi2html 5.0.