Overview#
This page describes the process to enable FIPS mode on Fedora 28.
WARNING: Make sure the system is backed up. This procedure may render the system unusable.
Prerequisites#
Install FIPS packages:
$ dnf install dracut-fips
Enabling FIPS Mode#
Recreate initramfs file:
$ dracut -f
$ dracut --print-cmdline
rd.lvm.lv=vg_root/lv_swap
rd.lvm.lv=vg_root/lv_root
resume=/dev/mapper/vg_root-lv_swap root=/dev/mapper/vg_root-lv_root rootfstype=ext4 rootflags=rw,relatime,seclabel,data=ordered
$ egrep -R . /{etc,lib}/dracut.conf*
/etc/dracut.conf:# PUT YOUR CONFIG IN separate files
/etc/dracut.conf:# in /etc/dracut.conf.d named "<name>.conf"
/etc/dracut.conf:# SEE man dracut.conf(5) for options
Enable FIPS in /etc/default/grub:
GRUB_CMDLINE_LINUX="... ``\ ``fips=1"
If /boot reside on separate partition, find the partition UUID:
$ df /bootFilesystem 1K-blocks Used Available Use% Mounted on/dev/vda1 243823 137045 93978 60% /boot$ blkid ``\ ``/dev/vda1/dev/vda1: UUID="ac6e6fb6-7336-49fe-a76a-01db03186919" TYPE="ext3" PARTUUID="c2dbf6db-01"Specify the UUID in /etc/default/grub:
GRUB_CMDLINE_LINUX="... fips=1 boot=UUID=ac6e6fb6-7336-49fe-a76a-01db03186919"
Regenerate grub.cfg:
$ grub2-mkconfig -o /boot/grub2/grub.cfg
Reboot the system:
$ reboot
Verification#
Verify that the system is running in FIPS mode with the following command:
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1