Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39026

[RFE] warn if Argon2 usage is detected

XMLWordPrintable

    • crypto-policies-20240828-2.git626aa59.el9_5
    • 1
    • sst_security_crypto
    • ssg_security
    • 29
    • 1
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Approved Exception
    • Enhancement
    • Hide
      .`fips-mode-setup` checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode

      The `fips-mode-setup` system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.
      Show
      .`fips-mode-setup` checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode The `fips-mode-setup` system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.
    • Done
    • None

      If Argon2 is used as a KDF in LUKS, switching into FIPS mode will make a system unbootable starting from 9.5.

      It's thus desireable to detect this scenario and block the switch in this case.

            asosedki@redhat.com Alexander Sosedkin
            asosedki@redhat.com Alexander Sosedkin
            Alexander Sosedkin Alexander Sosedkin
            Ondrej Moris Ondrej Moris
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: