Running the server in FIPS mode
From InterBase
Go Up to Server Configuration
Starting with InterBase 15, InterBase allows runtime enforcement of FIPS compliance, to provide a more secure environment for data at rest, and for data communication, using secure encryption algorithms only. FIPS mode runtime is only available for server-based InterBase database engine, on Windows and Linux.
Prerequisites
To run FIPS mode in InterBase 15, the following prerequisites need to be met:
- InterBase user administration database, admin.ib, has to be ODS version 19
- User accounts in admin.ib should be using SHA-256 password digest
- Customer databases must be encrypted with strong encryption, with AES cipher encryption keys. Unencrypted databases will not be permitted in FIPS_MODE.
- Encrypted databases must also have EUA user accounts using SHA-256 password digest
- Unencrypted databases cannot be created in FIPS_MODE enabled runtime. Since InterBase does not have an ability to create an encrypted database in one DDL command, database needs to be created and encrypted while running in non-FIPS mode, and then used in a FIPS enabled instance.
- If migrating from an earlier version of InterBase, one must use InterBase 15 to convert their database files to be encrypted with AES encryption, and EUA user accounts to use SHA-256 password digest, and then copy over the database to be serviced by a FIPS_MODE enabled instance of InterBase.
Enabling FIPS
By default, FIPS mode is disabled. To enable FIPS compliance at runtime you need to edit the ibconfig file. In a default Windows installation, this configuration file is located at: C:\Program Files\Embarcadero\InterBase. The following steps describe how to enable FIPS:
- Open the ibconfig file with a text editor.
- Find the line
#FIPS_MODE 0and uncomment it. - Set the value of FIPS_MODE to 1
- Save your changes
- Restart the InterBase server