Full disk encryption during installation - with FIPS enabled
Posted: 2015/09/02 15:50:27
The easiest way to encrypt data on a system is to mark volumes to be encrypted during installation. Sys admins can also manually encrypt volumes after the fact.
The good news is that as of CentOS/RHEL 6, dm-crypt with the LUKS extension is FIPS kosher.
The bad news is that FIPS mode is disabled by default during installation. If you encrypt entire volumes during installation, then later enable FIPS mode - you won't be able to boot into your system anymore. Disable FIPS, and you can boot into your box again.
The bottom line is that FIPS mode should be set before encrypting volumes.
So - is there a way to enable FIPS mode during installation, prior to marking volumes for encryption?
The good news is that as of CentOS/RHEL 6, dm-crypt with the LUKS extension is FIPS kosher.
The bad news is that FIPS mode is disabled by default during installation. If you encrypt entire volumes during installation, then later enable FIPS mode - you won't be able to boot into your system anymore. Disable FIPS, and you can boot into your box again.
The bottom line is that FIPS mode should be set before encrypting volumes.
So - is there a way to enable FIPS mode during installation, prior to marking volumes for encryption?