Full disk encryption during installation - with FIPS enabled

Support for security such as Firewalls and securing linux
Post Reply
a coder
Posts: 6
Joined: 2015/08/12 16:09:48

Full disk encryption during installation - with FIPS enabled

Post by a coder » 2015/09/02 15:50:27

The easiest way to encrypt data on a system is to mark volumes to be encrypted during installation. Sys admins can also manually encrypt volumes after the fact.

The good news is that as of CentOS/RHEL 6, dm-crypt with the LUKS extension is FIPS kosher.

The bad news is that FIPS mode is disabled by default during installation. If you encrypt entire volumes during installation, then later enable FIPS mode - you won't be able to boot into your system anymore. Disable FIPS, and you can boot into your box again.

The bottom line is that FIPS mode should be set before encrypting volumes.

So - is there a way to enable FIPS mode during installation, prior to marking volumes for encryption?

aks
Posts: 2558
Joined: 2014/09/20 11:22:14

Re: Full disk encryption during installation - with FIPS ena

Post by aks » 2015/09/02 18:54:12

Yes, it is possible. I'm pretty sure I do do so many, many years ago.
I think the pointer(s) you require is: https://access.redhat.com/documentation ... ndard.html
(I think you need a FIPS "compliant" boot environment (via dracut) and all will be good)....

StormTheGates
Posts: 9
Joined: 2014/06/25 00:16:09

Re: Full disk encryption during installation - with FIPS enabled

Post by StormTheGates » 2018/05/15 20:21:51

Hauling this topic out of mothballs in search of an answer.

I think in CentOS 7 you are able to enable FIPS mode during install at the same time you encrypt your partitions.

But not on CentOS 6. Any ideas for how this can be done at install time so that the OS partition can also be encrypted?

a coder
Posts: 6
Joined: 2015/08/12 16:09:48

Re: Full disk encryption during installation - with FIPS enabled

Post by a coder » 2018/05/15 20:33:12

As far as I know, there isn't a way to set up fips with EL6. I used CentOS 7 as a result (and have fips encrypted volumes now). What business case do you have for using CentOS 6 instead of the current release?

StormTheGates
Posts: 9
Joined: 2014/06/25 00:16:09

Re: Full disk encryption during installation - with FIPS enabled

Post by StormTheGates » 2018/05/16 13:10:47

Unfortunately only CentOS 6 is approved for our government environment, with CentOS 7 undergoing review right now.

We also have a requirement to encrypt all data at rest so ¯\_(ツ)_/¯

Chirpychirps77
Posts: 18
Joined: 2018/01/12 01:36:06

Re: Full disk encryption during installation - with FIPS enabled

Post by Chirpychirps77 » 2018/06/01 04:20:56

LUKS will meet the DAR requirement for RHEL/CentOS 6. FIPS has more to do with crypto algorythms used. Not sure how stringent your requirements are, but there are resources out there (DISA STIG, NIST, USGB, etc).

Post Reply