2.6 How to enable the FIPS mode

Libgcrypt may be used in a FIPS 140-3 mode. Note, that this does not necessary mean that Libcgrypt is an appoved FIPS 140-3 module. Check the NIST database at http://csrc.nist.gov/groups/STM/cmvp/ to see what versions of Libgcrypt are approved.

Because FIPS 140 has certain restrictions on the use of cryptography which are not always wanted, Libgcrypt needs to be put into FIPS mode explicitly. Four alternative mechanisms are provided to switch Libgcrypt into this mode:

• If the file /proc/sys/crypto/fips_enabled exists and contains a numeric value other than 0, Libgcrypt is put into FIPS mode at initialization time. Obviously this works only on systems with a proc file system (i.e. GNU/Linux).
• If the file /etc/gcrypt/fips_enabled exists, Libgcrypt is put into FIPS mode at initialization time. Note that this filename is hardwired and does not depend on any configuration options.
• By setting the environment variable LIBGCRYPT_FORCE_FIPS_MODE, Libgcrypt is put into FIPS mode at initialization time.
• If the application requests FIPS mode using the control command GCRYCTL_FORCE_FIPS_MODE. This must be done prior to any initialization (i.e. before gcry_check_version).