Page 1 of 1

Full disk encryption during installation - with FIPS enabled

Posted: 2015/09/02 15:50:27
by a coder
The easiest way to encrypt data on a system is to mark volumes to be encrypted during installation. Sys admins can also manually encrypt volumes after the fact.

The good news is that as of CentOS/RHEL 6, dm-crypt with the LUKS extension is FIPS kosher.

The bad news is that FIPS mode is disabled by default during installation. If you encrypt entire volumes during installation, then later enable FIPS mode - you won't be able to boot into your system anymore. Disable FIPS, and you can boot into your box again.

The bottom line is that FIPS mode should be set before encrypting volumes.

So - is there a way to enable FIPS mode during installation, prior to marking volumes for encryption?

Re: Full disk encryption during installation - with FIPS ena

Posted: 2015/09/02 18:54:12
by aks
Yes, it is possible. I'm pretty sure I do do so many, many years ago.
I think the pointer(s) you require is: https://access.redhat.com/documentation ... ndard.html
(I think you need a FIPS "compliant" boot environment (via dracut) and all will be good)....

Re: Full disk encryption during installation - with FIPS enabled

Posted: 2018/05/15 20:21:51
by StormTheGates
Hauling this topic out of mothballs in search of an answer.

I think in CentOS 7 you are able to enable FIPS mode during install at the same time you encrypt your partitions.

But not on CentOS 6. Any ideas for how this can be done at install time so that the OS partition can also be encrypted?

Re: Full disk encryption during installation - with FIPS enabled

Posted: 2018/05/15 20:33:12
by a coder
As far as I know, there isn't a way to set up fips with EL6. I used CentOS 7 as a result (and have fips encrypted volumes now). What business case do you have for using CentOS 6 instead of the current release?

Re: Full disk encryption during installation - with FIPS enabled

Posted: 2018/05/16 13:10:47
by StormTheGates
Unfortunately only CentOS 6 is approved for our government environment, with CentOS 7 undergoing review right now.

We also have a requirement to encrypt all data at rest so ¯\_(ツ)_/¯