Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39026

[RFE] warn if Argon2 usage is detected

    • crypto-policies-20240828-2.git626aa59.el9_5
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 29
    • 1
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Approved Exception
    • Enhancement
    • Hide
      .`fips-mode-setup` checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode

      The `fips-mode-setup` system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.
      Show
      .`fips-mode-setup` checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode The `fips-mode-setup` system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.
    • Done
    • None

      If Argon2 is used as a KDF in LUKS, switching into FIPS mode will make a system unbootable starting from 9.5.

      It's thus desireable to detect this scenario and block the switch in this case.

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: