Organizations in regulated sectors such as government, defense, finance, and healthcare often face strict requirements around cryptography, including adherence to FIPS 140‑2 or FIPS 140‑3 standards.
With the latest versions of YugabyteDB, you can deploy the database in a mode that ensures cryptographic operations (encryption, hashing, key generation) are handled via a FIPS-validated provider and you retain the flexibility to turn that mode on or off depending on your compliance needs.
What is it?
FIPS, or Federal Information Processing Standards, is a collection of security and interoperability requirements published by the National Institute of Standards and Technology (NIST). Of particular relevance are FIPS 140-2 and FIPS 140-3, which specify how cryptographic modules must operate to safeguard sensitive and regulated data.
Recent releases of YugabyteDB integrate with the OpenSSL FIPS Provider, enabling the database to operate in FIPS-compliant mode when required. In this mode, all cryptographic operations go through a FIPS-validated module; when permitted, you can turn the mode off to regain access to a broader algorithm set. This toggle-based approach helps teams balance regulatory compliance and operational flexibility.
Enabling FIPS Mode
In YugabyteDB, both the Master and TServer processes support the following flag:
● Flag:
openssl_require_fips● Description: Use OpenSSL FIPS Provider.
● Default:
false● Applies to: Both
yb-masterandyb-tserverprocesses
When you set this flag to true, YugabyteDB uses the OpenSSL FIPS Provider, forcing cryptographic operations to comply with FIPS requirements. If it stays false, you operate in the normal (non-FIPS) mode.
⚠️ Important: This flag is not dynamic. FIPS mode must be configured when creating or restarting the universe.
Quick demo with yugabyted (FIPS on)
Here’s a quick demo of how you can enable FIPS mode using yugabyted for a single-node universe (great for development/testing or small deployments).
# Start (or restart) with FIPS required on both services
yugabyted restart \
--base_dir ~/yb_fips_demo \
--master_flags "openssl_require_fips=true" \
--tserver_flags "openssl_require_fips=true"
# (optional) sanity: verify live gflags
curl -s http://127.0.0.1:7000/varz?raw | grep openssl_require_fips
curl -s http://127.0.0.1:9000/varz?raw | grep openssl_require_fips
# Connect
yugabyted connect ysql --base_dir ~/yb_fips_demo
Once connected:
-- Enable pgcrypto once per database
CREATE EXTENSION IF NOT EXISTS pgcrypto;
-- In FIPS mode, MD5-based crypt returns NULL (expected)
SELECT crypt('secret', gen_salt('md5')) AS md5_hash; -- expect: NULL
-- FIPS-approved hashing still works
SELECT encode(digest('hello','sha256'),'hex') AS sha256_ok; -- expect: non-NULL hex
Sample output:
yugabyte=# -- In FIPS mode, MD5-based crypt returns NULL (expected)
yugabyte=# SELECT crypt('secret', gen_salt('md5')) AS md5_hash; -- expect: NULL
ERROR: crypt(3) returned NULL
yugabyte=# -- FIPS-approved hashing still works
yugabyte=# SELECT encode(digest('hello','sha256'),'hex') AS sha256_ok; -- expect: non-NULL hex
sha256_ok
------------------------------------------------------------------
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
(1 row)
Summary
With the introduction of OpenSSL 3.0.8 in YugabyteDB 2024.1, the database now supports running in a fully FIPS-compliant mode. By enabling the openssl_require_fips flag, YugabyteDB uses the OpenSSL FIPS Provider to ensure all encryption, hashing, and key-management operations adhere to FIPS 140-2 / 140-3 standards.
This capability makes YugabyteDB a strong fit for federal, defense, financial, and healthcare environments where cryptographic validation is mandatory.
It also offers flexibility … you can toggle FIPS mode on or off depending on your deployment’s security and compliance requirements.
When FIPS mode is enabled:
● ✅ Only approved algorithms (AES, SHA-2, RSA) are available.
● 🚫 Non-approved ones (like MD5) are blocked automatically.
● 🔐 All cryptographic operations route through a validated FIPS provider.
In short, YugabyteDB now lets you meet stringent compliance goals without giving up distributed resilience or SQL compatibility … a perfect blend of security, control, and performance.
Have Fun!
