Enable FIPS Mode

This page describes how to enable FIPS 140-3 ready cryptography for AIStor deployments on Linux.

When enabled, FIPS mode restricts cryptographic operations to algorithms that align with the Federal Information Processing Standards (FIPS) 140-3 program. Organizations subject to U.S. federal government compliance requirements, or those with similar regulatory needs, may require FIPS-aligned cryptography.

AIStor FIPS mode uses Go’s native cryptographic module, which restricts operations to FIPS 140-3 approved algorithms. MinIO makes no statements or representations regarding FIPS 140-3 certification status. Evaluate whether this implementation meets your specific compliance requirements.

Overview

AIStor uses Go 1.24’s native FIPS 140-3 cryptographic module. Enable FIPS mode at runtime with the GODEBUG environment variable. There is no separate binary required.

With FIPS mode enabled, the following apply:

  • TLS connections use only AES-GCM cipher suites (CHACHA20-POLY1305 is excluded).
  • Object encryption (DARE) uses only AES-256-GCM.
  • SSH/SFTP connections exclude weak key exchange algorithms and non-compliant ciphers.
  • JWT operations use FIPS-validated SHA3 implementations.

Enable FIPS mode

FIPS mode requires setting the GODEBUG environment variable in the AIStor environment file on all nodes in the deployment.

  1. Open the environment file

    Edit /etc/default/minio on each node:

    sudo vi /etc/default/minio

  2. Add the GODEBUG variable

    Add the following line to enable FIPS mode:

    GODEBUG="fips140=on"

    The environment file should look similar to:

    # AIStor Server environment file

MINIO_VOLUMES="/mnt/data-{1...4}"
MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=miniosecretkey

# Enable FIPS 140-3 mode
GODEBUG="fips140=on"

  3. Apply the change to all nodes

    Copy the updated environment file to all nodes in the deployment. The contents must be identical across all nodes.

    Use a utility like shasum to verify the files match:

    shasum /etc/default/minio

  4. Restart AIStor

    Restart the AIStor service on all nodes:

    sudo systemctl restart minio

    Or use the mc CLI to restart all nodes simultaneously:

    mc admin service restart ALIAS

Verify FIPS mode

Connect to the deployment and check the server information:

mc admin info ALIAS

The output indicates FIPS mode status in the server details.

You can also check the service logs for FIPS indicators:

journalctl -u minio | grep -i fips

FIPS mode cipher restrictions

The following tables summarize which cryptographic algorithms are available in FIPS mode versus standard mode.

TLS cipher suites

Cipher Suite Standard Mode FIPS Mode
TLS_AES_128_GCM_SHA256 (TLS 1.3)
TLS_AES_256_GCM_SHA384 (TLS 1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

Object encryption (DARE)

Algorithm Standard Mode FIPS Mode
AES-256-GCM
CHACHA20-POLY1305

Public key algorithms

Algorithm Standard Mode FIPS Mode
RSA (2048-4096 bit)
ECDSA (P-256, P-384, P-521)
EdDSA/Ed25519

Considerations

Certificate compatibility

Ensure your TLS certificates use FIPS-compatible algorithms. Certificates signed with EdDSA/Ed25519 are not compatible with FIPS mode. Use ECDSA with NIST P-256/P-384/P-521 curves or RSA keys instead.

Client compatibility

Clients connecting to a FIPS-enabled deployment must support the available cipher suites. Modern TLS clients generally support AES-GCM cipher suites, but verify compatibility with older clients if necessary.

Performance

AES-GCM cipher suites benefit from hardware acceleration on most modern CPUs (AES-NI instruction set). Performance impact from enabling FIPS mode is typically minimal on hardware with AES-NI support.