pgcrypto.fips

pgcrypto.fips

Enables support for Federal Information Processing Standard (FIPS) 140-2. For information about FIPS, see http://www.nist.gov/itl/fips.cfm

To enable FIPS 140-2 support for Greenplum Database, the following are required.
  • The Greenplum Database pgcrypto package version 1.2 or later must be installed.
  • If the value of pgcrypto.fips is set to on, the value of the parameter custom_variable_classes must contain pgcrypto.
When FIPS 140-2 support is enabled, these pgcrypto changes occur:
  • FIPS mode is initialized in the OpenSSL library
  • The functions digest() and hmac() allow only the SHA encryption algorithm (MD5 is not allowed)
  • The functions for crypt and gen_salt algorithms are disabled
  • PGP encryption and decryption functions support only AES and 3DES encryption algorithms (other algorithms such as blowfish are not allowed)
  • RAW encryption and decryption functions support only AES and 3DES (other algorithms such as blowfish are not allowed)
These gpconfig commands set the parameters to enable FIPS 140-2 support.
$ gpconfig -c custom_variable_classes -v pgcrypto --masteronly
$ gpconfig -c pgcrypto.fips -v on --masteronly
The value of the custom_variable_classes parameter is a comma separated list of classes. For more than one class, the list is inclosed in single quotes. To check the value of the parameter use gpconfig with the -s option to show the current value.
$ gpconfig -s custom_variable_classes
If the parameter is already set with custom classes, you can add pgcrypto. For example, if the value of custom_variable_classes is plr, this command adds pgcrypto.
$ gpconfig -c custom_variable_classes -v \'plr,pgcrypto\' --masteronly  
   --skipvalidation

In the command, use a backslash (\) to escape the single quotes.

Value Range Default Set Classifications
Boolean off master

system

restart