From 677474a2957d6aaaebac11a19e51715c66202d1b Mon Sep 17 00:00:00 2001 From: boruszak Date: Mon, 12 Jun 2023 11:05:28 -0700 Subject: [PATCH 01/15] Page + nav + formatting --- website/content/docs/enterprise/fips.mdx | 127 +++++++++++++++++++++++ website/data/docs-nav-data.json | 17 +-- 2 files changed, 138 insertions(+), 6 deletions(-) create mode 100644 website/content/docs/enterprise/fips.mdx diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx new file mode 100644 index 000000000000..4f8c5bf1a318 --- /dev/null +++ b/website/content/docs/enterprise/fips.mdx @@ -0,0 +1,127 @@ +--- +layout: docs +page_title: FIPS 140-2 +description: >- + A version of Consul compliant with FIPS 140-2 is available to Enterprise users. Learn about where to find FIPS-compliant versions of Consul, as well as usage restrictions and technical details. +--- + +# FIPS 140-2 + + This feature requires Consul Enterprise. + +Builds of Consul Enterprise marked with a `fips1402` feature name include built-in support for FIPS 140-2 compliance. + +To use this feature, you must have an active or trial [license for Consul Enterprise](/consul/docs/enterprise/license/overview). To start a trial, contact HashiCorp sales. + +## Using FIPS 140-2 Consul Enterprise + +FIPS 140-2 versions of Consul Enterprise behave like non-FIPS versions of Consul. No restrictions are placed on algorithms and it is up to the operator to ensure Consul remains in a FIPS-compliant mode of operation. Maintaining FIPS-compliant operation requires configuring some settings such as [ensuring TLS is enabled to require encrypted communication](consul/tutorials/security/tls-encryption-secure). Consul products surface some helpful warnings where settings are insecure. + +Because Consul Enterprise’s default settings may transmit sensitive control plane information without encryption, it is especially important to ensure that all agents have gossip encryption and mTLS enabled when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. +HashiCorp is limited to providing general guidance regarding using Consul Enterprise in a FIPS-compliant manner. We are not a NIST-certified testing laboratory and thus organizations may need to consult an approved auditor for further information. + +The FIPS 140-2 variant of Consul uses separate binaries that are available available from the following sources: + +- From the [Hashicorp Releases page](https://releases.hashicorp.com/consul), releases ending with the `+ent.fips1402` suffix. +- From the [Docker Hub `hashicorp/consul-enterprise-fips`](https://hub.docker.com/r/hashicorp/consul-enterprise-fips) container repository. +- From the [AWS ECR `hashicorp/consul-enterprise-fips`](https://gallery.ecr.aws/hashicorp/consul-enterprise-fips) container repository. +- From the [Red Hat Access `hashicorp/consul-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/consul-enterprise-fips/628d50e37ff70c66a88517ea) container repository. + +The above naming conventions, which append `.fips1402` to binary names and tags, and `-fips` to registry names, also apply to `consul-k8s`, `consul-dataplane`, and `consul-ecs`, which are packaged separately from Consul Enterprise. + +### Usage restrictions + +When using Consul Enterprise with FIPS 140-2, be aware of the following operation restrictions: + +#### Migration restrictions + +Hashicorp does not support in-place migrations from non-FIPS versions of Consul to FIPS versions of Consul, regardless of version. A fresh cluster installation is required to support FIPPS 140-2. It is not possible to upgrade directly. + +#### TLS restrictions +Consul Enterprise's FIPS modifications include restrictions to supported TLS cipher suites and key information. Only the following cipher suites are allowed: + +- `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` +- `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` +- `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` +- `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` +- `TLS_RSA_WITH_AES_128_GCM_SHA256` +- `TLS_RSA_WITH_AES_256_GCM_SHA384` + +In addition, only the following key types are allowed in TLS chains of trust: + +- RSA 2048, 3072, and 4096-bit +- ECDSA P-256, P-384, and P-521 + +Finally, only TLSv1.2 is supported in FIPS mode. These settings are in line with recent NIST guidance and FIPS requirements. + +#### Heterogeneous cluster deployments + +Hashicorp does not support mixed deployment scenarios within the same Consul cluster. An example of an unsupported deployment scenario is one that mixes FIPS and non-FIPS Consul binary versions. Nodes across the entire cluster must use a single binary or deployment type. + +Running a heterogeneous cluster is not permitted by FIPS, as components of the system are not compliant with FIPS. Attempts to join non-FIPS and FIPS nodes or servers may fail. + +### Envoy + +To enable users to deploy a FIPS compliant service mesh with Consul, HashiCorp provides FIPS compliant versions of Envoy available for download. Contact Hashicorp sales for more information. + +## Deployment prerequisites + +Depending on your Consul runtime, there are additional requirements for using FIPS 140-2. + +### VMs + +If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact Hashicorp sales to learn how to obtain a FIPS compliant version of Envoy. + +### Consul-k8s and Helm + +When deploying the FIPS versions of Consul on Kubernetes using consul-k8s or Helm, you must ensure that the Helm chart is updated to use FIPS versions of Consul Enterprise, Consul Dataplane, and Envoy images. + +### ECS + +[TODO] + +## Technical details + +Consul's FIPS 140-2 Linux products use the BoringCrypto integration in the official Go 1.20+ toolchain, which include a FIPS-validated crypto module. + +Consul's FIPS 140-2 products on Windows use the CNGCrypto integration in Microsoft's Go toolchain, which include a FIPS-validated crypto module. + +To ensure your version of Consul Enterprise includes FIPS support, confirm that a line with `FIPS: Enabled` appears when you run a version command. For example, the following message appears for Linux users + +```shell-session +FIPS: FIPS 140-2 Enabled, crypto module boringcrypto +``` + +The following message appears for Windows users: + +```shell-session +FIPS: FIPS 140-2 Enabled, crypto module cngcrypto +``` + +FIPS 140-2 Linux binaries depend on cgo, which require that a GNU C Library (glibc) Linux distribution be used to run Consul. Refer to [instructions for Windows FIPS mode](https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md#windows-fips-mode-cng) for more information on running CNGCrypto-enabled Go binaries in FIPS mode. + +The NIST Cryptographic Module Validation Program certifications and accompanying security policies for BoringCrypto and CNG are available through the following external links: + +- [BoringCrypto](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407) +- [CNG](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4515) + +### Validating FIPS crypto modules + +To validate that a FIPS 140-2 Linux binary correctly includes BoringCrypto, run `go tool nm` on the binary to get a symbol dump. On FIPS-enabled builds, many results appear, as in the following example: + +```shell-session +$ go tool nm consul | grep -i goboringcrypto + 4014d0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_cbc_encrypt + 4014f0 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_ctr128_encrypt + 401520 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_decrypt + 401540 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_encrypt + 401560 T _cgo_6880f0fbb71e_Cfunc__goboringcrypto_AES_set_decrypt_key +``` + +Similarly, on a FIPS Windows binary, run `go tool nm` on the binary to get a symbol dump, and then search for `go-crypto-winnative`. + +On both Linux and Windows non-FIPS builds, the search output yields no results. + +### Leidos compliance + +As of the release of Consul v1.16, a compliance letter from Leidos is available for FIPS Consul products using the Boring Crypto and Microsoft CNG libraries. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index edd16a4eb86f..0e184946d0b7 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -506,7 +506,7 @@ { "title": "Delegate authorization to external services", "path": "connect/proxies/envoy-extensions/usage/ext-authz" - }, + }, { "title": "Run Lua scripts in Envoy proxies", "path": "connect/proxies/envoy-extensions/usage/lua" @@ -522,7 +522,8 @@ { "title": "Run WebAssembly plug-ins in Envoy proxies", "path": "connect/proxies/envoy-extensions/usage/wasm" - } ] + } + ] }, { "title": "Configuration", @@ -530,16 +531,16 @@ { "title": "External authorization", "path": "connect/proxies/envoy-extensions/configuration/ext-authz" - }, + }, { "title": "Property override", "path": "connect/proxies/envoy-extensions/configuration/property-override" - }, + }, { "title": "WebAssembly", "path": "connect/proxies/envoy-extensions/configuration/wasm" } - ] + ] } ] }, @@ -1016,7 +1017,7 @@ { "title": "Limit traffic rates from source IP addresses", "path": "agent/limits/usage/limit-request-rates-from-ips" - } + } ] }, { @@ -1612,6 +1613,10 @@ "title": "Enhanced Read Scalability", "path": "enterprise/read-scale" }, + { + "title": "FIPS", + "path": "enterprise/fips" + }, { "title": "Single sign-on - OIDC", "href": "/docs/security/acl/auth-methods/oidc" From 6a660bee741dc9138503cc869aa330edc9a7f1a9 Mon Sep 17 00:00:00 2001 From: boruszak Date: Mon, 12 Jun 2023 11:08:17 -0700 Subject: [PATCH 02/15] link fix --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 4f8c5bf1a318..302b86d23fb1 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -11,7 +11,7 @@ description: >- Builds of Consul Enterprise marked with a `fips1402` feature name include built-in support for FIPS 140-2 compliance. -To use this feature, you must have an active or trial [license for Consul Enterprise](/consul/docs/enterprise/license/overview). To start a trial, contact HashiCorp sales. +To use this feature, you must have an [active or trial license for Consul Enterprise](/consul/docs/enterprise/license/overview). To start a trial, contact HashiCorp sales. ## Using FIPS 140-2 Consul Enterprise From 75f11ad2fa1cda4071d47b8b4c35872ece60a0cf Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:17:29 -0700 Subject: [PATCH 03/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 302b86d23fb1..afa2b0271978 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -7,7 +7,12 @@ description: >- # FIPS 140-2 - This feature requires Consul Enterprise. + + + +This feature requires requires Consul Enterprise. + + Builds of Consul Enterprise marked with a `fips1402` feature name include built-in support for FIPS 140-2 compliance. From cbd615fd214e6045545f4cd90b73fe261140311d Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:17:48 -0700 Subject: [PATCH 04/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index afa2b0271978..c012dc08a2d2 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -20,7 +20,7 @@ To use this feature, you must have an [active or trial license for Consul Enterp ## Using FIPS 140-2 Consul Enterprise -FIPS 140-2 versions of Consul Enterprise behave like non-FIPS versions of Consul. No restrictions are placed on algorithms and it is up to the operator to ensure Consul remains in a FIPS-compliant mode of operation. Maintaining FIPS-compliant operation requires configuring some settings such as [ensuring TLS is enabled to require encrypted communication](consul/tutorials/security/tls-encryption-secure). Consul products surface some helpful warnings where settings are insecure. +FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. Because Consul Enterprise’s default settings may transmit sensitive control plane information without encryption, it is especially important to ensure that all agents have gossip encryption and mTLS enabled when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. HashiCorp is limited to providing general guidance regarding using Consul Enterprise in a FIPS-compliant manner. We are not a NIST-certified testing laboratory and thus organizations may need to consult an approved auditor for further information. From cd9e5886e26371836456a6225d970977e45bc8c6 Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:18:06 -0700 Subject: [PATCH 05/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index c012dc08a2d2..5926a33b5b13 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -22,7 +22,7 @@ To use this feature, you must have an [active or trial license for Consul Enterp FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. -Because Consul Enterprise’s default settings may transmit sensitive control plane information without encryption, it is especially important to ensure that all agents have gossip encryption and mTLS enabled when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. +Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. HashiCorp is limited to providing general guidance regarding using Consul Enterprise in a FIPS-compliant manner. We are not a NIST-certified testing laboratory and thus organizations may need to consult an approved auditor for further information. The FIPS 140-2 variant of Consul uses separate binaries that are available available from the following sources: From 306768706c8857c6cd8dde63d3a5e75375a53b95 Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:18:31 -0700 Subject: [PATCH 06/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 5926a33b5b13..014bbf182083 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -23,7 +23,7 @@ To use this feature, you must have an [active or trial license for Consul Enterp FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. -HashiCorp is limited to providing general guidance regarding using Consul Enterprise in a FIPS-compliant manner. We are not a NIST-certified testing laboratory and thus organizations may need to consult an approved auditor for further information. +HashiCorp is not a NIST-certified testing laboratory and can only provide general guidance about using Consul Enterprise in a FIPS-compliant manner. We recommend consulting an approved auditor for further information. The FIPS 140-2 variant of Consul uses separate binaries that are available available from the following sources: From d0a7c19431815d198b7cbb2a8a17dda1f0363c1e Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:18:42 -0700 Subject: [PATCH 07/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 014bbf182083..c72bda3f672c 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -61,7 +61,7 @@ Finally, only TLSv1.2 is supported in FIPS mode. These settings are in line with #### Heterogeneous cluster deployments -Hashicorp does not support mixed deployment scenarios within the same Consul cluster. An example of an unsupported deployment scenario is one that mixes FIPS and non-FIPS Consul binary versions. Nodes across the entire cluster must use a single binary or deployment type. +We do not support mixed deployment scenarios within the same Consul cluster. An example of an unsupported deployment scenario is one that mixes FIPS and non-FIPS Consul binaries. Nodes across the entire cluster must use a single binary or deployment type. Running a heterogeneous cluster is not permitted by FIPS, as components of the system are not compliant with FIPS. Attempts to join non-FIPS and FIPS nodes or servers may fail. From 30db9cbefa392f40c80b2067536d147fd22fd498 Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:18:54 -0700 Subject: [PATCH 08/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index c72bda3f672c..0c9b47d6a8c4 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -27,7 +27,7 @@ HashiCorp is not a NIST-certified testing laboratory and can only provide genera The FIPS 140-2 variant of Consul uses separate binaries that are available available from the following sources: -- From the [Hashicorp Releases page](https://releases.hashicorp.com/consul), releases ending with the `+ent.fips1402` suffix. +- From the [HashiCorp Releases page](https://releases.hashicorp.com/consul), releases ending with the `+ent.fips1402` suffix. - From the [Docker Hub `hashicorp/consul-enterprise-fips`](https://hub.docker.com/r/hashicorp/consul-enterprise-fips) container repository. - From the [AWS ECR `hashicorp/consul-enterprise-fips`](https://gallery.ecr.aws/hashicorp/consul-enterprise-fips) container repository. - From the [Red Hat Access `hashicorp/consul-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/consul-enterprise-fips/628d50e37ff70c66a88517ea) container repository. From 129e8d7639bf89d71e91858d3e4cdf8832b4be9b Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:19:09 -0700 Subject: [PATCH 09/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 0c9b47d6a8c4..f53a6bc229fc 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -91,7 +91,7 @@ Consul's FIPS 140-2 Linux products use the BoringCrypto integration in the offic Consul's FIPS 140-2 products on Windows use the CNGCrypto integration in Microsoft's Go toolchain, which include a FIPS-validated crypto module. -To ensure your version of Consul Enterprise includes FIPS support, confirm that a line with `FIPS: Enabled` appears when you run a version command. For example, the following message appears for Linux users +To ensure your build of Consul Enterprise includes FIPS support, confirm that a line with `FIPS: Enabled` appears when you run a `version` command. For example, the following message appears for Linux users ```shell-session FIPS: FIPS 140-2 Enabled, crypto module boringcrypto From c9a3e1f059bc798744ceab4dd2ff08d47e9a601f Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:19:28 -0700 Subject: [PATCH 10/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index f53a6bc229fc..85c0c5708699 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -40,7 +40,7 @@ When using Consul Enterprise with FIPS 140-2, be aware of the following operatio #### Migration restrictions -Hashicorp does not support in-place migrations from non-FIPS versions of Consul to FIPS versions of Consul, regardless of version. A fresh cluster installation is required to support FIPPS 140-2. It is not possible to upgrade directly. +We do not support in-place migrations from non-FIPS builds of Consul to FIPS builds of Consul, regardless of version. A fresh cluster installation is required to support FIPS 140-2. You cannot upgrade directly to a FIPS-compliant build. #### TLS restrictions Consul Enterprise's FIPS modifications include restrictions to supported TLS cipher suites and key information. Only the following cipher suites are allowed: From fa5655cb0a2a3bef22e58f728af1e9376f8bbdd1 Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:19:48 -0700 Subject: [PATCH 11/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 85c0c5708699..d7e01fc42367 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -79,7 +79,7 @@ If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact ### Consul-k8s and Helm -When deploying the FIPS versions of Consul on Kubernetes using consul-k8s or Helm, you must ensure that the Helm chart is updated to use FIPS versions of Consul Enterprise, Consul Dataplane, and Envoy images. +When deploying the FIPS builds of Consul on Kubernetes using `consul-k8s` or Helm, you must ensure that the Helm chart is updated to use FIPS builds of Consul Enterprise, Consul Dataplane, and Envoy images. ### ECS From 0a6d84d71cc4c1b06c2fc227e0333dcd6fb5ebbc Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:19:59 -0700 Subject: [PATCH 12/15] Update website/content/docs/enterprise/fips.mdx Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index d7e01fc42367..a028fc405af1 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -75,7 +75,7 @@ Depending on your Consul runtime, there are additional requirements for using FI ### VMs -If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact Hashicorp sales to learn how to obtain a FIPS compliant version of Envoy. +If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact HashiCorp sales to learn how to obtain a FIPS compliant version of Envoy. ### Consul-k8s and Helm From 3121896b9b4b7a991e71a03be99309e466c9d748 Mon Sep 17 00:00:00 2001 From: boruszak Date: Mon, 12 Jun 2023 14:23:17 -0700 Subject: [PATCH 13/15] link fix --- website/content/docs/enterprise/fips.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index a028fc405af1..844918bbf405 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -7,7 +7,6 @@ description: >- # FIPS 140-2 - This feature requires requires Consul Enterprise. @@ -20,7 +19,7 @@ To use this feature, you must have an [active or trial license for Consul Enterp ## Using FIPS 140-2 Consul Enterprise -FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. +FIPS 140-2 builds of Consul Enterprise behave in the same way as non-FIPS builds. There are no restrictions on Consul algorithms and ensuring that Consul remains in a FIPS-compliant mode of operation is your responsibility. To maintain FIPS-compliant operation, you must [ensure that TLS is enabled](/consul/tutorials/security/tls-encryption-secure) so that communication is encrypted. Consul products surface some helpful warnings where settings are insecure. Encryption is disabled in Consul Enterprise by default. As a result, Consul may transmit sensitive control plane information. You must ensure that gossip encryption and mTLS is enabled for all agents when running Consul with FIPS-compliant settings. In addition, be aware that TLSv1.3 does not work with FIPS 140-2, as HKDF is not a certified primitive. HashiCorp is not a NIST-certified testing laboratory and can only provide general guidance about using Consul Enterprise in a FIPS-compliant manner. We recommend consulting an approved auditor for further information. From 7551d5dca351f044a8c91ff4307c2c89995ab0ff Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 16:24:15 -0700 Subject: [PATCH 14/15] Apply suggestions from code review Co-authored-by: Jeff Apple <79924108+Jeff-Apple@users.noreply.github.com> --- website/content/docs/enterprise/fips.mdx | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 844918bbf405..6a8d69157c5a 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -31,7 +31,7 @@ The FIPS 140-2 variant of Consul uses separate binaries that are available avail - From the [AWS ECR `hashicorp/consul-enterprise-fips`](https://gallery.ecr.aws/hashicorp/consul-enterprise-fips) container repository. - From the [Red Hat Access `hashicorp/consul-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/consul-enterprise-fips/628d50e37ff70c66a88517ea) container repository. -The above naming conventions, which append `.fips1402` to binary names and tags, and `-fips` to registry names, also apply to `consul-k8s`, `consul-dataplane`, and `consul-ecs`, which are packaged separately from Consul Enterprise. +The above naming conventions, which append `.fips1402` to binary names and tags, and `-fips` to registry names, also apply to `consul-k8s`, `consul-k8s-control-plane`, `consul-dataplane`, and `consul-ecs`, which are packaged separately from Consul Enterprise. ### Usage restrictions @@ -80,10 +80,6 @@ If using Consul on VMs, you must use a FIPS compliant version of Envoy. Contact When deploying the FIPS builds of Consul on Kubernetes using `consul-k8s` or Helm, you must ensure that the Helm chart is updated to use FIPS builds of Consul Enterprise, Consul Dataplane, and Envoy images. -### ECS - -[TODO] - ## Technical details Consul's FIPS 140-2 Linux products use the BoringCrypto integration in the official Go 1.20+ toolchain, which include a FIPS-validated crypto module. @@ -126,6 +122,7 @@ Similarly, on a FIPS Windows binary, run `go tool nm` on the binary to get a sym On both Linux and Windows non-FIPS builds, the search output yields no results. -### Leidos compliance +### Compliance Validation + +A Lab, authorized by the U.S. Government to certify FIPS 140-2 compliance, is in the process of verifying that Consul Enterprise and it's related packages are compliant with the requirements of FIPS 140-2 Level 1. -As of the release of Consul v1.16, a compliance letter from Leidos is available for FIPS Consul products using the Boring Crypto and Microsoft CNG libraries. From 39a3e62ae19cb6b6d813a5b7d82b99525756da93 Mon Sep 17 00:00:00 2001 From: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Date: Mon, 12 Jun 2023 16:24:37 -0700 Subject: [PATCH 15/15] Update website/content/docs/enterprise/fips.mdx --- website/content/docs/enterprise/fips.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/enterprise/fips.mdx b/website/content/docs/enterprise/fips.mdx index 6a8d69157c5a..bde0a154b15a 100644 --- a/website/content/docs/enterprise/fips.mdx +++ b/website/content/docs/enterprise/fips.mdx @@ -124,5 +124,5 @@ On both Linux and Windows non-FIPS builds, the search output yields no results. ### Compliance Validation -A Lab, authorized by the U.S. Government to certify FIPS 140-2 compliance, is in the process of verifying that Consul Enterprise and it's related packages are compliant with the requirements of FIPS 140-2 Level 1. +A Lab, authorized by the U.S. Government to certify FIPS 140-2 compliance, is in the process of verifying that Consul Enterprise and its related packages are compliant with the requirements of FIPS 140-2 Level 1.