Skip to content

Enabling FIPS Mode on RLC Pro Hardened

This guide describes how to enable FIPS (Federal Information Processing Standards) mode on RLC Pro Hardened. FIPS mode configures the system to use only FIPS 140-validated cryptographic algorithms and modules, which is often a requirement for US federal government systems.

For regulated environments (e.g., DISA STIG), FIPS mode should be enabled at install time.

In these environments, the system must always operate in FIPS mode. Use a kickstart configuration that enables the CIQ FIPS repositories and sets fips=1 as a kernel parameter during installation. This ensures the CIQ-validated FIPS modules are used from the start rather than the upstream Rocky Linux modules.

Enabling FIPS mode on an existing system is possible using the steps below, but may break existing applications or cryptographic keys that depend on non-FIPS algorithms. A full backup is strongly recommended before proceeding.

Prerequisites

  • Root Access: You must have root or sudo privileges.

  • Updated System: Ensure your system and kernels are fully updated.

    dnf update -y

  • FIPS Modules: The FIPS cryptographic modules are available in the CIQ FIPS repositories but are not all installed by default. Ensure the CIQ FIPS repositories are enabled and the dracut-fips package is installed (usually pulled in by fips-mode-setup).

Enabling FIPS Mode

Use the fips-mode-setup utility to enable FIPS mode.

  1. Check current status:

    fips-mode-setup --check

    Expected output: FIPS mode is disabled.

  2. Enable FIPS mode:

    fips-mode-setup --enable

    Note

    This command regenerates the initial RAM disk (initramfs) for the kernel, which may take several minutes.

  3. Reboot the system: Once the command completes successfully, reboot the system to boot into FIPS mode.

    reboot

Verification

After the system reboots, perform the following checks to confirm FIPS mode is active.

  1. Check with utility:

    fips-mode-setup --check

    Expected output: FIPS mode is enabled.

  2. Check via kernel parameter:

    cat /proc/sys/crypto/fips_enabled

    Expected output: 1

  3. Check kernel command line: Ensure fips=1 is present in the boot command line.

    cat /proc/cmdline | grep fips

Compliance Verification

You can verify your system's compliance status using the official RLC Pro Hardened compliance check script.

Using the Compliance Script

  1. Download the script: check_compliance.sh
  2. Make it executable: chmod +x check_compliance.sh
  3. Run as root: sudo ./check_compliance.sh

Sample Output: Compliant System

A properly configured FIPS system will show [PASS] for all checks and list the installed module versions.

========================================
 RLC Pro Hardened Compliance Status Check
========================================

Checking FIPS Mode... [PASS] (FIPS mode is enabled.)
Checking Crypto Policy... [PASS] (Current Policy: FIPS)
Checking SELinux Status... [PASS] (Mode: Enforcing)

----------------------------------------
 Validated Module Versions
----------------------------------------
Kernel Crypto API: 5.*
OpenSSL: 3.5.*
GnuTLS: 3.8.*
Libgcrypt: 1.10.*

========================================
 Check Complete
========================================

Sample Output: Non-Compliant System

If FIPS is disabled or policies are incorrect, the script will report failures.

========================================
 RLC Pro Hardened Compliance Status Check
========================================

Checking FIPS Mode... [FAIL] (FIPS mode is disabled.)
Checking Crypto Policy... [WARN] (Current Policy: DEFAULT - Expected: FIPS)
Checking SELinux Status... [PASS] (Mode: Enforcing)
...

Troubleshooting

dracut failures during enablement

If fips-mode-setup --enable fails with errors like:

  • dracut: installkernel failed in module kernel-modules-extra
  • dracut: Can't write to /boot/efi/...

This likely indicates an incomplete kernel installation or missing boot loader entries.

Resolution:

  1. Ensure no package manager processes are stuck (e.g., dnf).

  2. Reinstall the kernel core package to regenerate boot entries:

    dnf reinstall kernel-core

  3. If that fails, verify boot loader entries exist in /boot/loader/entries/. You can try manually adding the kernel entry:

    kernel-install add <kernel-version> /lib/modules/<kernel-version>/vmlinuz