Configure Redpanda for FIPS

Redpanda provides Federal Information Processing Standards (FIPS)-compliant cipher enforcement for brokers using a FIPS 140-3-validated OpenSSL cryptographic module. Redpanda and rpk both use the OpenSSL library for security-related cryptographic operations.

After reading this page, you will be able to:

Configure a Redpanda broker to run in FIPS-compliant mode
Set the required OpenSSL properties for FIPS mode
Deploy Redpanda in FIPS-compliant mode using Docker

This feature requires an enterprise license. To get a trial license key or extend your trial period, generate a new trial license key. To purchase a license, contact Redpanda Sales.

If Redpanda has enterprise features enabled and it cannot find a valid license, restrictions apply.

To check if you already have a license key applied to your cluster:

rpk cluster license info

Prerequisites

Before configuring brokers to run in FIPS mode on Linux, install the redpanda-rpk-fips and redpanda-fips packages.

For Docker deployments, use the FIPS-specific image instead: docker.redpanda.com/redpandadata/redpanda:<version>-fips.

Before upgrading to Redpanda 26.1 with FIPS mode enabled, change any SASL/SCRAM user passwords shorter than 14 characters to at least 14 characters. FIPS 140-3 enforces stricter HMAC key size requirements than FIPS 140-2. Because Redpanda stores passwords in encrypted form, it cannot check the length of existing passwords. Clients with passwords shorter than 14 characters will fail to authenticate after the upgrade.

Limitations

Redpanda FIPS mode requires a FIPS-enabled host when deployed with the Redpanda Helm chart or Operator.
Redpanda Console is not FIPS-compliant.
Redpanda does not support PKCS#12 keys for TLS encryption when FIPS mode is enabled. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode with TLS enabled, configure your certificates and keys in PEM format instead.
When FIPS mode is enabled or permissive, SASL/SCRAM passwords must be at least 14 characters.

Configure FIPS mode

When you configure a broker to run in FIPS mode:

Redpanda enforces FIPS compliance immediately on startup.
Redpanda and its dependencies only use FIPS-validated cryptographic modules for all cryptographic algorithms used in a security context.

Redpanda logs an error and exits immediately if:

The underlying operating system and crypto module are not running in FIPS mode.
The underlying cryptography module enters into an error state.
It cannot detect a FIPS-validated library.

To place a broker in FIPS-compliant mode, enable fips_mode in the Redpanda broker configuration file (typically located in /etc/redpanda/redpanda.yaml). All fields are within the redpanda object:

redpanda:
  # ....
  fips_mode: enabled

Available fips_mode values are:

disabled: Redpanda is not running in FIPS-compliant mode.
enabled: When Redpanda starts up, it looks for a value of 1 in the file /proc/sys/crypto/fips_enabled. If the file doesn’t exist or doesn’t contain 1, Redpanda logs an error and exits immediately.
permissive: This setting is a safety value option only. Do not use it in a production environment. If specified, Redpanda logs a WARNING, but continues operations even if the underlying operating system is not configured for FIPS. If set, your Redpanda instance is not running in FIPS-compliant mode.

You must also configure OpenSSL properties for FIPS mode.

FIPS OpenSSL configuration

You must specify the following SSL configurations for brokers you want to run in FIPS-compliant mode:

openssl_config_file: Specifies the path to the OpenSSL configuration file created during redpanda-fips package installation. OpenSSL uses this file during initialization to find the fipsmodule.cnf file that openssl fipsinstall creates. Typically, this value is /opt/redpanda/openssl/openssl.cnf.
openssl_module_directory: Specifies the path to the directory that contains the fips.so cryptographic provider. Typically, this value is: /opt/redpanda/lib/ossl-modules/.

The following configuration starts Redpanda in FIPS mode:
```
redpanda:
  # ....
  fips_mode: enabled
  openssl_config_file: /opt/redpanda/openssl/openssl.cnf
  openssl_module_directory: /opt/redpanda/lib/ossl-modules/
```

Configure FIPS mode with Docker

The Redpanda FIPS Docker image (docker.redpanda.com/redpandadata/redpanda:<version>-fips) is available for amd64 and arm64 architectures. The image includes the required OpenSSL files, pre-configured.

Pass the FIPS broker configuration to the container the same way as any other Redpanda Docker deployment: either by mounting a configuration file or by passing settings as flags.

Mount a configuration file
Pass settings as flags

Create a redpanda.yaml with the required FIPS settings:

redpanda:
  fips_mode: enabled
  openssl_config_file: /opt/redpanda/openssl/openssl.cnf
  openssl_module_directory: /opt/redpanda/lib/ossl-modules/

Mount the file when starting the container:

docker run -d \
  --name=redpanda \
  -p 9092:9092 \
  -p 9644:9644 \
  -v /path/to/redpanda.yaml:/etc/redpanda/redpanda.yaml \
  docker.redpanda.com/redpandadata/redpanda:<version>-fips \
  redpanda start --overprovisioned --smp 1

Pass the FIPS settings directly to redpanda start:

docker run -d \
  --name=redpanda \
  -p 9092:9092 \
  -p 9644:9644 \
  docker.redpanda.com/redpandadata/redpanda:<version>-fips \
  redpanda start --overprovisioned --smp 1 \
    --set redpanda.fips_mode=enabled \
    --set redpanda.openssl_config_file=/opt/redpanda/openssl/openssl.cnf \
    --set redpanda.openssl_module_directory=/opt/redpanda/lib/ossl-modules/

Next steps

Was this helpful?

group Ask in the community

mail Share your feedback

group_add Make a contribution

What do you think of this page?

Let us know more:

Let us contact you about your feedback: