Implementing FIPS compliance in Redpanda

Federal Information Processing Standards (FIPS) are guidelines established by the U.S. government through the National Institute of Standards and Technology. These standards ensure that IT systems used by federal agencies and other regulated sectors meet specific security requirements.  

The FIPS 140-2 standard focuses on cryptographic modules, ensuring they are secure and validated. It mandates the use of approved algorithms, such as AES (symmetric encryption), SHA-256 (hashing for integrity), and RSA (public-key cryptography). FIPS 140-2 guarantees that cryptographic modules are tested and secure, reducing vulnerabilities by restricting use to validated methods.

In this post, we cover FIPS in Redpanda and then walk you through implementing a FIPS-compliant Redpanda cluster. 

FIPS compliance in Redpanda 

Redpanda provides FIPS-compliant cipher enforcement for brokers using OpenSSL 3.0.9, which is validated for FIPS 140-2 and is undergoing validation by NIST for 140-3. Both Redpanda brokers and the rpk command-line tool leverage validated OpenSSL libraries for all security-related cryptography operations. 

In late 2025, Redpanda will move to OpenSSL 3.1.2, which was validated for FIPS 140-3  to remain compliant as 140-2 expires.

FIPS compliance in the Redpanda cluster is an enterprise feature that requires a license. It allows Redpanda clusters to operate in environments that require adherence to strict federal security standards for cryptographic modules.

When configured for FIPS mode:

• FIPS compliance is enforced immediately upon Redpanda cluster startup
• Only FIPS-validated cryptographic modules are used for security operations
• Redpanda will log an error and exit if the underlying operating system isn't properly configured

FIPS support in a Redpanda cluster is available in self-managed deployments using RPM or Debian package installations. Availability in the Cloud and as K8s deployments, along with FIPS compliance for Redpanda Connect, are all on the product roadmap. For more information on FIPS availability in Redpanda Cloud, just get in touch.

Now, let us look at an example installation of a Redpanda cluster in FIPS mode, where we will create a single-node Redpanda FIPS-compliant cluster on a Red Hat Enterprise Linux (RHEL) VM.

Implementing FIPS compliance in Redpanda

To implement FIPS compliance in a Redpanda cluster, do the folllowing:

1. Turn on FIPS at the OS level.
2. Install these packages:
   
   • redpanda-fips: Contains the OpenSSL FIPS-approved module for Redpanda
   • redpanda-rpk-fips: Contains a FIPS-compliant version of rpk
3. Configure the broker with proper settings in redpanda.yaml:

redpanda:
 fips_mode: enabled
 openssl_config_file: /opt/redpanda/openssl/openssl.cnf
 openssl_module_directory: /opt/redpanda/lib/ossl-modules/

The Redpanda cluster offers three FIPS mode settings:

• disabled: Default state, not running in FIPS compliance mode
• enabled: Full FIPS compliance mode, requiring the OS to be FIPS-enabled
• permissive: A non-production safety option that allows operation even if the OS isn't FIPS-configured. This configuration implies that the Redpanda cluster is running as close as it can to FIPS mode, but anything crypto-related that relies on the operating system (such as sourcing entropy) may not be in full compliance

A typical production environment that needs to be FIPS compliant will have FIPS enabled at the OS level and Redpanda configured with fips_mode enabled. A development environment can have FIPS disabled at the OS level, but a compliant Redpanda cluster would need fips_mode as permissive.

Let’s look at the steps involved in implementing a FIPS-compliant Redpanda cluster in more detail.

1. Turning on FIPS at the OS level

To be fully FIPS compliant, the OS level FIPS setting should be turned on before creating a Redpanda cluster.  Different OS have different ways of turning FIPS. In the context of this blog, we will use RHEL.

RHEL version later than 8.x provides a utility called fips-mode-setup that can be used to check and control the system FIPS mode. When enabling FIPS mode, fips-mode-setup completes the installation of FIPS modules by calling fips-finish-install and changing the system cryptographic policy to FIPS.

Note: Additional steps may be required to enable and validate FIPS status within the OS installation. Refer to your operating system provider's documentation for more details.

1. Log in as root and run the following command:

fips-mode-setup --check

If FIPS is not installed, it will display the following message.

Installation of FIPS modules is not completed.
FIPS mode is disabled.

2. Enable FIPS mode by running the following command. The VM/ will need a reboot once the command has completed.

fips-mode-setup --enable

3. Reboot the VM and run this command. Note: rebooting the host is an important step in configuring the OS for FIPS.

fips-mode-setup --check

You will now see a message FIPS mode is enabled that confirms FIPS is enabled at the OS level.

Now we are ready to install and configure the Redpanda cluster in FIPS mode.

2. Install and configure Redpanda in FIPS mode

To run a Redpanda cluster in FIPS compliance mode, first install the redpanda-fips package, which is separate from (and depends on) the Redpanda package already being installed. Similarly, rpk needs the redpanda-rpk-fips package. Once installed, redpanda.yaml file needs to be configured, as mentioned earlier.

Redpanda provides an Ansible Collection to automate installing and configuring Redpanda clusters, including updating the redpanda.yaml file. This collection can install a Redpanda cluster in FIPS mode, specifically for RHEL. It automatically pulls the FIPS-compliant Redpanda binaries for installation and provides Ansible variables to control the FIPS mode, which by default is in non-FIPS mode, but can be overridden with the appropriate variable values when running the playbook.

Here's how you can use Ansible and the deployment automation framework to install a FIPS-compliant Redpanda cluster:

1. Clone the deployment-automation repository.

git clone https://github.com/redpanda-data/deployment-automation.git

2. Install the required Ansible roles.

ansible-galaxy install -r requirements.yml

3. Configure a hosts file (either manually or automatically via Terraform).

4. Run the Ansible playbook to install and start Redpanda in FIPS mode.

ansible-playbook --private-key <your-private-key> -v ansible/playbooks/provision-cluster.yml -e "enable_fips=true" -e "fips_mode=enabled"

Once the Ansible playbook runs successfully, you will have a FIPS-compliant Redpanda cluster. It's that simple!

Conclusion 

FIPS is crucial for securing data processing and encryption in government and regulated sectors. Compliance with FIPS 140-2 ensures security, meets regulatory requirements, and fosters trust, making it a vital consideration for sensitive data handling in various industries.

By integrating approved cryptographic standards and enhancing security protocols, Redpanda provides a robust and reliable platform for real-time data streaming, enforcing compliance immediately upon startup, and will only use FIPS-validated cryptographic modules for all security-related operations.

For more detailed information, check out these resources: 

• Install Redpanda with FIPS
• Configure Redpanda for FIPS

‍