How to disable FIPS in RHEL/CentOS

Disabling FIPS (Federal Information Processing Standards) mode in Red Hat Enterprise Linux (RHEL) involves several steps. FIPS mode enforces the use of cryptographic algorithms that are compliant with FIPS 140-2, which is a security standard for cryptographic modules. Disabling FIPS mode will revert the system to use non-FIPS-compliant algorithms if necessary.

Here’s how you can disable FIPS mode in RHEL:

1. Check if FIPS Mode is Enabled

First, confirm if FIPS mode is currently enabled on your system:

Copy code

cat /proc/sys/crypto/fips_enabled

If the output is 1, FIPS mode is enabled. If it's 0, FIPS mode is disabled.

2. Modify the Kernel Boot Parameters

To disable FIPS mode, you need to remove the fips=1 parameter from the kernel command line.

a. Edit the GRUB Configuration

1. Open the GRUB configuration file for editing:

   bash

   Copy code

   sudo vi /etc/default/grub

2. Locate the line starting with GRUB_CMDLINE_LINUX. This line might look something like this:

   bash

   Copy code

   GRUB_CMDLINE_LINUX="... fips=1 ..."

3. Remove the fips=1 parameter from this line. After editing, it should look something like this:

   Copy code

   GRUB_CMDLINE_LINUX="..."

4. Save and exit the file.

b. Update GRUB

After editing the GRUB configuration file, you need to regenerate the GRUB configuration:

• On BIOS systems, run:

  Copy code

  sudo grub2-mkconfig -o /boot/grub2/grub.cfg

• On UEFI systems, run:

  Copy code

  sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

3. Rebuild the Initial RAM Filesystem (if necessary)

In some cases, FIPS mode may also affect the initial RAM filesystem. If you made any modifications to the boot parameters, it's a good practice to rebuild the initramfs:

Copy code

sudo dracut -f

4. Reboot the System

Finally, reboot your system for the changes to take effect:

Copy code

sudo reboot

5. Verify FIPS Mode is Disabled

After rebooting, check if FIPS mode is disabled:

Copy code

cat /proc/sys/crypto/fips_enabled

The output should now be 0, indicating that FIPS mode is disabled.

Additional Steps (if needed)

• Reconfigure Applications: Some applications may need to be reconfigured if they were explicitly set to use FIPS-compliant cryptography. Review application configurations to ensure they work as expected with FIPS mode disabled.

• Uninstall FIPS-related Packages: If you want to remove FIPS-related packages, you can identify and uninstall them, but this step is optional and should be done with caution.