Documentation

InfluxDB Enterprise

FIPS-compliant InfluxDB Enterprise builds

InfluxDB Enterprise 1.11+ provides builds that are compliant with Federal Information Processing Standards (FIPS). This page provides information on installing and using FIPS-compliant builds of InfluxDB Enterprise.

Installation

  • For new InfluxDB Enterprise clusters:

    • Follow the regular InfluxDB Enterprise installation instructions using the FIPS-compliant packages.
    • Ensure that your meta and data node configuration files use a FIPS-compliant password hash that conforms to NIST SP 800 and OWASP guidelines. In both meta and data node configuration files, set [meta].password-hash to either pbkdf2-sha256 or pbkdf2-sha512. Non-FIPS-compliant password hash configurations, like bcrypt, cause FIPS-compliant InfluxDB Enterprise builds to return an error on startup.

  • Enable FIPS on an existing InfluxDB Enterprise cluster:

    • Change the password hash from the non-FIPS-compliant default of bcrypt to a FIPS-compliant password hash (pbkdf2-sha256 or pbkdf2-sha512), then restart all nodes.
    • Change passwords on at least one admin account. Any users with passwords that have not been updated will no longer work once FIPS-compliance is enabled.
    • Follow the process to upgrade a cluster, except use the FIPS-compliant packages.

Please report any errors encountered when upgrading from a non-FIPS-compliant InfluxDB Enterprise build to FIPS-compliant build to InfluxData support.

Caveats and known issues

You must use a local license file

When using a FIPS-compliant build of InfluxDB Enterprise, you must use a local license file. License keys do not work in FIPS mode. Contact InfluxData support to request the license file. The [enterprise] section of your data and meta node configuration files contains the settings that registered each node with the InfluxDB Enterprise license portal.

In your data and meta node configuration files:

  1. Update the [enterprise].license-path setting to point to your local license file.
  2. Remove or comment out the [enterprise].license-key setting.

Flux data source restrictions

Flux queries that query or write to MSSQL, SQLServer, or Snowflake using sql.from or sql.to are not supported.

Disabled InfluxDB Insights monitoring

InfluxDB Insights monitoring has not been validated as compatible with FIPS-compliance in InfluxDB Enterprise and is not available when using a FIPS-compliant InfluxDB Enterprise build.

Only amd64 (x86) architectures

FIPS-compliant InfluxDB Enterprise builds only support the amd64 architecture.

Security

To comply with FIPS standards, the following security practices are applied to FIPS-compliant InfluxDB Enterprise builds:

BoringCrypto cryptography library

InfluxDB Enterprise FIPS-compliant builds use the FIPS-validated BoringCrypto cryptography library.

TLS

As mandated by FIPS, TLS uses a restricted set of functionality:

  • TLS 1.2 only
  • TLS only supports the following cipher suites:
    • ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • RSA_WITH_AES_128_GCM_SHA256
    • RSA_WITH_AES_256_GCM_SHA384

Digital signatures

As mandated by FIPS, supported digital signatures are limited to the following signature algorithms:

  • PSSWithSHA256
  • PSSWithSHA384
  • PSSWithSHA512
  • PKCS1WithSHA256
  • ECDSAWithP256AndSHA256
  • PKCS1WithSHA384
  • ECDSAWithP384AndSHA384
  • PKCS1WithSHA512
  • ECDSAWithP521AndSHA512

Digital signature restrictions apply to TLS certificates.

RSA key size

As mandated by FIPS, RSA keys are restricted to the following sizes:

  • 2048
  • 3072

RSA key size restrictions apply to TLS certificates.

Elliptic-curve cryptography

As mandated by FIPS, supported elliptic-curve (EC) cryptography curves are restricted to the following:

  • P-256
  • P-384
  • P-521

EC curve restrictions apply to TLS certificates.

Was this page helpful?

Thank you for your feedback!

© 2024 InfluxData, Inc.

Where are you running InfluxDB?

Customize your InfluxDB Enterprise URL and we’ll update code examples for you.

Default
Custom

For more information, see InfluxDB Enterprise HTTP settings.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Flux is going into maintenance mode and will not be supported in InfluxDB 3.0. This was a decision based on the broad demand for SQL and the continued growth and adoption of InfluxQL. We are continuing to support Flux for users in 1.x and 2.x so you can continue using it with no changes to your code. If you are interested in transitioning to InfluxDB 3.0 and want to future-proof your code, we suggest using InfluxQL.

For information about the future of Flux, see the following: