General FIPS Guidelines
Whenever possible, select Use Default to define a PGP private key or a protocol system key. When switching between FIPS and non-FIPS mode, you must only change the default key to the FIPS or non-FIPS key type.
- Use the "fips test" function to create a report that shows whether PGP and protocol keys are supported in FIPS mode.
- Prior to converting to FIPS mode, you must make sure that only FIPS supported keys are used. For PGP, this means that you must move away from El Gamal keys and use RSA keys instead. For both PGP and protocol keys, you must use keys of at least 2048 bits and only use the supported algorithms.
- Prior to enabling FIPS mode, you must make sure that every entry identified as "FAIL" in the "fips test" report has been converted to a FIPS supported public or private key. We suggest disabling keys that do not support FIPS and are no longer used. After a period of time, we suggest deleting these keys.
Note: 1024-bit system keys are not supported when running in FIPS mode and cannot be created when running in FIPS mode. If you create a 1024-bit system key while running in non- FIPS mode and attempt to use this key in FIPS mode, transfers fail. FIPS mode allows you to create 2048 or 3072-bit keys. Creating 4096-bit keys is not supported in FIPS mode, but 4096-bit keys can be used in FIPS mode.
Copyright © 2021. Cloud Software Group, Inc. All Rights Reserved.