PE and FIPS compliance
Beginning with version 2019.2.0, Puppet Enterprise (PE) complies with Federal Information Processing Standard (FIPS) 140-2 standards and is fully operable on select FIPS platforms.
Federal Information Processing Standard (FIPS) 140-2 is a standard defined by the U.S. government that defines the security requirements for cryptographic modules. The standard is published and maintained by the National Institute of Standards and Technology (NIST) and is mandated by the White House Office of Management and Budget (OMB) in Circular A-130 and pursuant to FISMA (44 U.S.C Chapter 35). NIST operates the Cryptographic Module Validation Program (CMVP), which validates cryptographic modules per the requirements defined by the standard. All federal information systems that transmit and store sensitive information must utilize FIPS 140-2-validated cryptography.
As of version 2019.2.0, the cryptographic modules included in Puppet Enterprise are compliant with FIPS 140-2 and fully operable on the FIPS-compliant platforms listed below.
| PE component | FIPS-compliant platforms |
|---|---|
| Master | Red Hat Enterprise Linux (RHEL) 7 in FIPS mode |
| Agents |
Red Hat Enterprise Linux
(RHEL) 7 in FIPS mode Windows Server 2012 R2 and newer versions in FIPS mode Windows 10 in FIPS mode |
For information on installing a FIPS-compliant PE master and agents, see Installing FIPS-compliant Puppet Enterprise.
- All components are built and packaged against system OpenSSL (Red Hat Enterprise Linux (RHEL) 7 in FIPS mod for the master), or against OpenSSL built in FIPS mode (Windows 10, Windows Server 2012 R2 and newer versions for agents).
- All use of MD5 hashes for security has been eliminated and replaced.
- Forge and module tooling now use SHA-256 hashes to verify the identity of modules.
- Proper random number generation devices are used on all platforms.
- All Java and Clojure components use FIPS Bouncy Castle encryption providers on FIPS platforms.