Working with Distributed Issuer and FIPS¶

Distributed Issuer images are available in both standard and FIPS formats.

• Use standard (non-FIPS) images if performance is a key factor for you, or you need access to newer cryptographic algorithms. If you don't have regulatory compliance needs, a standard image may be the better choice.
• Using FIPS images allows companies to meet regulatory compliance, particularly for government agencies or contractors, as well as finance and health sectors, and ensures that data is protected with robust, validated encryption and security measures. FIPS mode also provides robust data security ensuring that data, both at rest and in transit, is protected.

Federal Information Processing Standards (FIPS) mode makes Distributed Issuer use the system's cryptographic libraries. In the Distributed Issuer FIPS container images, these cryptographic libraries are FIPS 140-2 validated.

For information on FIPS mode on the major cloud platforms, see Running Kubernetes and OpenShift in FIPS mode.

Running Kubernetes and OpenShift in FIPS mode ¶

• OpenShift — FIPS Support
• EKS — FIPS Support
• GKE — FIPS Support
• AKS — FIPS Support

Confirming Kubernetes and OpenShift are running in FIPS mode¶

For each of the nodes in your cluster, you can confirm it is running in FIPS mode by checking the Node Kernel FIPS Flag:

kubectl debug -it node/<node_name> --image=ubuntu -- chroot /host cat /proc/sys/crypto/fips_enabled

Expected output:

1

Enforcing FIPS mode on Distributed Issuer instances¶

To ensure that all Distributed Issuer instances run in FIPS mode in Next-Gen Trust Security:

1. Sign into Next-Gen Trust Security.
2. Click Configurations > Issuer Configurations and select an issuer configuration.
3. In the side panel, select Require Issuer instances to be FIPS compliant.

Related links¶

• Distributed Issuer overview
• Deploying Distributed Issuer on Kubernetes using Helm
• Build an HSM-enabled container image for Distributed Issuer