Skip to content

Federal Information Processing Standards (FIPS) Compliance for Privacera Services

FIPS compliance is supported for fresh installations starting from Privacera Release 9.0.34.1

The Privacera Platform is designed to support compliance with Federal Information Processing Standards (FIPS) 140-2 and 140-3. It utilizes cryptographic modules validated by the NIST Cryptographic Module Validation Program (CMVP) and ensures that all cryptographic operations are performed using FIPS-approved algorithms. The platform architecture meets the stringent security requirements of federal agencies and security-conscious enterprises.

Our commitment to FIPS compliance is reflected in a multi-layered security architecture. All cryptographic functions are executed using FIPS-enabled providers and approved algorithms, including AES (128-, 192-, or 256-bit) for data encryption and PBKDF2 with HMAC-SHA256 for secure password hashing. Service-to-service and client-server communications are protected with enforced TLS 1.2 and TLS 1.3 protocols, mitigating downgrade risks.

Privacera’s FIPS-compliant environment supports standard X.509 certificates with FIPS-approved keys (RSA 2048+ bits, ECDSA) and signature algorithms from the SHA-2 family. It is compatible with standard keystore formats, including PKCS12 and JCEKS.

EKS Support Only

FIPS compliance is currently supported only for deployments on Amazon Elastic Kubernetes Service (EKS)

Supported Applications

The following Privacera applications support FIPS-compliant cryptography:

Service Name FIPS Enabled
Portal 🟢 Yes
Ranger 🟢 Yes
DataServer 🟢 Yes
UserSync 🟢 Yes
Audit Server 🟢 Yes
Audit Fluentd 🟢 Yes
Databricks Unity Catalog (Connector) 🟢 Yes
Snowflake (Connector) 🟢 Yes
Solr 🟢 Yes
Zookeeper 🟢 Yes
Diagnostics Tool 🟢 Yes
Discovery 🔴 No
PEG (Encryption) 🔴 No
OPS-server 🔴 No
All Other Connectors 🔴 No

Configuration

To enable FIPS mode using Privacera Manager, follow these steps:

Step 1: SSH into the Privacera Instance

Access the instance where Privacera is installed using SSH.

Step 2: Navigate to the Privacera Manager Directory

Run the following command to change to the Privacera Manager directory:

Bash
cd ~/privacera/privacera-manager

Step 3: Copy the Sample FIPS Configuration File to the Custom Configuration Directory

Check if the file vars.fips.yml already exists. If it does, compare and merge any new or updated properties from the sample file:

Bash
ls config/custom-vars/vars.fips.yml

If the file does not exist, copy the sample configuration file: vars.fips.yml

Bash
cp config/sample-vars/vars.fips.yml config/custom-vars/vars.fips.yml

Deploying the Service

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Comments