Installing Kasten in FIPS mode

Kasten, as of version 7.0, supports an installation option that complies with the Federal Information Processing Standards (FIPS) defined by the National Institute of Standards and Technology (NIST). This is especially important for organizations operating in highly regulated industries or government sectors. FIPS-compliant software ensures that cryptographic algorithms and security protocols meet strict government requirements, including those set by the United States Department of Defense (DoD). To learn more about FIPS, visit NIST's Compliance FAQs.

Kasten in FIPS mode was designed to comply with the FIPS 140-3 standard. Activate this mode by using a set of Helm values specified below during the installation process, as explained in the accompanying document. To learn more about FIPS 140-3, please refer to NIST FIPS 140-3.

Cryptographic Modules

Kasten uses OpenSSL for its implementation of cryptographic primitives and algorithms. OpenSSL is provided by Red Hat's Universal Base Images (UBI). This cryptographic module is currently listed as "review pending" by NIST's Cryptographic Module Validation Program.

By incorporating OpenSSL, UBI, and aligning its implementation with Red Hat Compliance recommendations, Kasten ensures compliance of the FIPS 140-3 security requirements.

FIPS Supported Kubernetes Distributions

Kasten has been extensively tested and verified with Red Hat OpenShift, ensuring seamless integration between the two platforms. By using Kasten with Red Hat OpenShift, customers can benefit from enhanced security and compliance features, which are necessary for protecting critical data in FIPS-compliant environments.

While Kasten's FIPS mode can be activated in other environments, it may necessitate additional testing and configuration to ensure the cryptographic module's compliance. However, Kasten is continuously exploring opportunities to support additional Kubernetes distributions in the future.

Limitations in FIPS mode

Some Kasten features are not currently supported when FIPS is enabled:

  • Prometheus

  • PDF Reports

  • Block mode exports and restores of supported Ceph CSI volumes do not use the Ceph API

As a workaround for dashboards please install and configure a FIPS compliant version of Grafana and Prometheus with Kasten.

Installation in FIPS mode

Warning

During initialization, Kasten generates encryption keys using the configured encryption algorithms.

This means FIPS algorithms must be enabled during the initial installation. However, some features will be unavailable (see above).

To ensure that certified cryptographic modules are utilized and non-compliant features are disabled, you must install Kasten with additional Helm values that can be found here: FIPS values.

To install the latest version of Kasten with the latest values use the command below:

helm install k10 kasten/k10 \
    --namespace=kasten-io \
    --values=https://docs.kasten.io/latest/fips/fips-values.yaml