Encryption and FIPS 140 certification

The FIPS140mode attribute of the mmchconfig command enables or disables the use of FIPS 140 certified cryptography in encrypted communications between nodes and in file encryption.

Important: IBM Storage Scale uses IBM® Global Security Kit (GSKit) as the underlying cryptographic engine. In July 2022, the GSKit FIPS 140 certificate status was changed to historical.

The FIPS140mode attribute controls whether the use of crypto-based security mechanisms (if they are to be used at all, per the IBM Storage Scale administrator) is to be provided by software modules that are certified according to the requirements and standards that are described by the Federal Information Processing Standards (FIPS) 140 Publication Series. When in FIPS 140 mode, IBM Storage Scale uses the FIPS 140 approved cryptographic provider IBM Crypto for C (ICC) (certificate 3064) for cryptography. The certificate is listed on the NIST website.

To enable FIPS 140 mode, issue the following command:

mmchconfig FIPS140mode=yes

To disable FIPS 140 mode, issue the following command:

mmchconfig FIPS140mode=no

When it is enabled, FIPS 140 mode applies only to the following two features of IBM Storage Scale:

Encryption and decryption of file data when it is transmitted between nodes in the current cluster or between a node in the current cluster and a node in another cluster. To enable this feature, issue the following command:
```
mmchconfig cipherList=SupportedCipher
```
where SupportedCipher is a cipher that is supported by IBM Storage Scale, such as AES128-GCM-SHA256. For more information, see the following topics:
- Security mode.
- Setting the security mode for internode communications in a cluster.
Encryption of file data as it is written to storage media and decryption of file data as it is read from storage media. For more information about file data encryption, see the following section of the documentation:
- Encryption.
  Note: For performance reasons, do not enable FIPS 140 mode unless all the nodes in the cluster are running FIPS-certified kernels in FIPS mode. This note applies only to encryption of file data as it is written to storage media and decryption of file data as it is read from storage media. This note does not apply to encryption and decryption of file data when it is transmitted between nodes.

FIPS 140 mode does not apply to other components of IBM Storage Scale that use encryption, such as object encryption.

For more information, see mmchconfig command.

Limitation in IBM Storage Scale 4.2.0 and earlier with POWER8, little-endian

In IBM Storage Scale 4.2.0 and earlier, in a POWER8, little-endian environment, the setting FIPS140mode=no is required for the following operations:

File encryption
Secure communications between nodes. For more information, see the following descriptions in the IBM Storage Scale: Command and Programming Reference:
- The -l Cipherlist parameter of the mmauth command
- The cipherList parameter of the mmchconfig command
CCR enablement. For more information, see the following descriptions in the IBM Storage Scale: Command and Programming Reference:
- The --ccr-enable parameter of the mmchcluster command
- The --ccr-enable parameter of the mmcrcluster command.