pgcrypto.fips
Enables support for Federal Information Processing Standard (FIPS) 140-2. For information about FIPS, see http://www.nist.gov/itl/fips.cfm
To enable FIPS 140-2 support for Greenplum Database, the following are
required.
- The Greenplum Database pgcrypto package version 1.2 or later must be installed.
- If the value of pgcrypto.fips is set to on, the value of the parameter custom_variable_classes must contain pgcrypto.
When FIPS 140-2 support is enabled, these pgcrypto changes occur:
- FIPS mode is initialized in the OpenSSL library
- The functions digest() and hmac() allow only the SHA encryption algorithm (MD5 is not allowed)
- The functions for crypt and gen_salt algorithms are disabled
- PGP encryption and decryption functions support only AES and 3DES encryption algorithms (other algorithms such as blowfish are not allowed)
- RAW encryption and decryption functions support only AES and 3DES (other algorithms such as blowfish are not allowed)
These gpconfig commands set the parameters to enable FIPS 140-2
support.
$ gpconfig -c custom_variable_classes -v pgcrypto --masteronly $ gpconfig -c pgcrypto.fips -v on --masteronly
The value of the custom_variable_classes parameter is a comma separated
list of classes. For more than one class, the list is inclosed in single quotes. To check
the value of the parameter use gpconfig with the -s
option to show the current
value.
$ gpconfig -s custom_variable_classes
If the parameter is already set with custom classes, you can add
pgcrypto. For example, if the value of
custom_variable_classes is plr, this command adds
pgcrypto.
$ gpconfig -c custom_variable_classes -v \'plr,pgcrypto\' --masteronly --skipvalidation
In the command, use a backslash (\) to escape the single quotes.
Value Range | Default | Set Classifications |
---|---|---|
Boolean | off | master system restart |