FIPS-compliant InfluxDB Enterprise builds
InfluxDB Enterprise 1.11+ provides builds that are compliant with Federal Information Processing Standards (FIPS). This page provides information on installing and using FIPS-compliant builds of InfluxDB Enterprise.
Installation
-
For new InfluxDB Enterprise clusters:
- Follow the regular InfluxDB Enterprise installation instructions using the FIPS-compliant packages.
- Ensure that your meta and data node configuration files use a FIPS-compliant
password hash that conforms to
NIST SP 800
and OWASP guidelines.
In both meta and data node configuration files, set
[meta].password-hash
to eitherpbkdf2-sha256
orpbkdf2-sha512
. Non-FIPS-compliant password hash configurations, likebcrypt
, cause FIPS-compliant InfluxDB Enterprise builds to return an error on startup.
-
Enable FIPS on an existing InfluxDB Enterprise cluster:
- Change the password hash from the non-FIPS-compliant default of
bcrypt
to a FIPS-compliant password hash (pbkdf2-sha256
orpbkdf2-sha512
), then restart all nodes. - Change passwords on at least one admin account. Any users with passwords that have not been updated will no longer work once FIPS-compliance is enabled.
- Follow the process to upgrade a cluster, except use the FIPS-compliant packages.
- Change the password hash from the non-FIPS-compliant default of
Please report any errors encountered when upgrading from a non-FIPS-compliant InfluxDB Enterprise build to FIPS-compliant build to InfluxData support.
Caveats and known issues
- You must use a local license file
- Flux data source restrictions
- Disabled InfluxDB Insights monitoring
- Only amd64 (x86) architectures
You must use a local license file
When using a FIPS-compliant build of InfluxDB Enterprise,
you must use a local license file. License keys do not work in FIPS mode.
Contact InfluxData support to request the
license file.
The [enterprise]
section of your data and meta node configuration files
contains the settings that registered each node with the InfluxDB Enterprise
license portal.
In your data and meta node configuration files:
- Update the
[enterprise].license-path
setting to point to your local license file. - Remove or comment out the
[enterprise].license-key
setting.
Flux data source restrictions
Flux queries that query or write to MSSQL, SQLServer, or Snowflake using
sql.from
or sql.to
are not supported.
Disabled InfluxDB Insights monitoring
InfluxDB Insights monitoring has not been validated as compatible with FIPS-compliance in InfluxDB Enterprise and is not available when using a FIPS-compliant InfluxDB Enterprise build.
Only amd64 (x86) architectures
FIPS-compliant InfluxDB Enterprise builds only support the amd64 architecture.
Security
To comply with FIPS standards, the following security practices are applied to FIPS-compliant InfluxDB Enterprise builds:
BoringCrypto cryptography library
InfluxDB Enterprise FIPS-compliant builds use the FIPS-validated BoringCrypto cryptography library.
TLS
As mandated by FIPS, TLS uses a restricted set of functionality:
- TLS 1.2 only
- TLS only supports the following cipher suites:
- ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- RSA_WITH_AES_128_GCM_SHA256
- RSA_WITH_AES_256_GCM_SHA384
Digital signatures
As mandated by FIPS, supported digital signatures are limited to the following signature algorithms:
- PSSWithSHA256
- PSSWithSHA384
- PSSWithSHA512
- PKCS1WithSHA256
- ECDSAWithP256AndSHA256
- PKCS1WithSHA384
- ECDSAWithP384AndSHA384
- PKCS1WithSHA512
- ECDSAWithP521AndSHA512
Digital signature restrictions apply to TLS certificates.
RSA key size
As mandated by FIPS, RSA keys are restricted to the following sizes:
- 2048
- 3072
RSA key size restrictions apply to TLS certificates.
Elliptic-curve cryptography
As mandated by FIPS, supported elliptic-curve (EC) cryptography curves are restricted to the following:
- P-256
- P-384
- P-521
EC curve restrictions apply to TLS certificates.
Was this page helpful?
Thank you for your feedback!
Support and feedback
Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:
Customers with an annual or support contract can contact InfluxData Support.