To enable FIPS 140-2 support for Greenplum Database, the following are required.

• The Greenplum Database pgcrypto package version 1.2 or later must be installed.
• If the value of pgcrypto.fips is set to on, the value of the parameter custom_variable_classes must contain pgcrypto.

When FIPS 140-2 support is enabled, these pgcrypto changes occur:

• FIPS mode is initialized in the OpenSSL library
• The functions digest() and hmac() allow only the SHA encryption algorithm (MD5 is not allowed)
• The functions for crypt and gen_salt algorithms are disabled
• PGP encryption and decryption functions support only AES and 3DES encryption algorithms (other algorithms such as blowfish are not allowed)
• RAW encryption and decryption functions support only AES and 3DES (other algorithms such as blowfish are not allowed)

These gpconfig commands set the parameters to enable FIPS 140-2 support.

$ gpconfig -c custom_variable_classes -v pgcrypto --masteronly
$ gpconfig -c pgcrypto.fips -v on --masteronly

The value of the custom_variable_classes parameter is a comma separated list of classes. For more than one class, the list is inclosed in single quotes. To check the value of the parameter use gpconfig with the -s option to show the current value.

$ gpconfig -s custom_variable_classes

If the parameter is already set with custom classes, you can add pgcrypto. For example, if the value of custom_variable_classes is plr, this command adds pgcrypto.

$ gpconfig -c custom_variable_classes -v \'plr,pgcrypto\' --masteronly  
   --skipvalidation