FIPS-compliant InfluxDB Enterprise v1 builds - Influxdb

InfluxDB Enterprise 1.11+ provides builds that are compliant with Federal Information Processing Standards (FIPS). This page provides information on installing and using FIPS-compliant builds of InfluxDB Enterprise.

Installation
Caveats and known issues
Security

Installation

For new InfluxDB Enterprise clusters:
- Follow the regular InfluxDB Enterprise installation instructions using the FIPS-compliant packages.
- Ensure that your meta and data node configuration files use a FIPS-compliant password hash that conforms to NIST SP 800 and OWASP guidelines. In both meta and data node configuration files, set [meta].password-hash to either pbkdf2-sha256 or pbkdf2-sha512. Non-FIPS-compliant password hash configurations, like bcrypt, cause FIPS-compliant InfluxDB Enterprise builds to return an error on startup.
Enable FIPS on an existing InfluxDB Enterprise cluster:
- Change the password hash from the non-FIPS-compliant default of bcrypt to a FIPS-compliant password hash (pbkdf2-sha256 or pbkdf2-sha512), then restart all nodes.
- Change passwords on at least one admin account. Any users with passwords that have not been updated will no longer work once FIPS-compliance is enabled.
- Follow the process to upgrade a cluster, except use the FIPS-compliant packages.

{{% note %}} Please report any errors encountered when upgrading from a non-FIPS-compliant InfluxDB Enterprise build to FIPS-compliant build to InfluxData support. {{% /note %}}

You must use a local license file

When using a FIPS-compliant build of InfluxDB Enterprise, you must use a local license file. License keys do not work in FIPS mode. Contact InfluxData support to request the license file. The [enterprise] section of your data and meta node configuration files contains the settings that registered each node with the InfluxDB Enterprise license portal.

In your data and meta node configuration files:

Update the [enterprise].license-path setting to point to your local license file.
Remove or comment out the [enterprise].license-key setting.

Flux data source restrictions

Flux queries that query or write to MSSQL, SQLServer, or Snowflake using sql.from or sql.to are not supported.

Disabled InfluxDB Insights monitoring

InfluxDB Insights monitoring has not been validated as compatible with FIPS-compliance in InfluxDB Enterprise and is not available when using a FIPS-compliant InfluxDB Enterprise build.

Only amd64 (x86) architectures

FIPS-compliant InfluxDB Enterprise builds only support the amd64 architecture.

Security

To comply with FIPS standards, the following security practices are applied to FIPS-compliant InfluxDB Enterprise builds:

BoringCrypto cryptography library
TLS
Digital signatures
RSA key size
Elliptic-curve cryptography

BoringCrypto cryptography library

InfluxDB Enterprise FIPS-compliant builds use the FIPS-validated BoringCrypto cryptography library.

TLS

As mandated by FIPS, TLS uses a restricted set of functionality:

TLS 1.2 only
TLS only supports the following cipher suites:
- ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- RSA_WITH_AES_128_GCM_SHA256
- RSA_WITH_AES_256_GCM_SHA384

Digital signatures

As mandated by FIPS, supported digital signatures are limited to the following signature algorithms:

PSSWithSHA256
PSSWithSHA384
PSSWithSHA512
PKCS1WithSHA256
ECDSAWithP256AndSHA256
PKCS1WithSHA384
ECDSAWithP384AndSHA384
PKCS1WithSHA512
ECDSAWithP521AndSHA512

{{% note %}} Digital signature restrictions apply to TLS certificates. {{% /note %}}

RSA key size

As mandated by FIPS, RSA keys are restricted to the following sizes:

2048
3072

{{% note %}} RSA key size restrictions apply to TLS certificates. {{% /note %}}

Elliptic-curve cryptography

As mandated by FIPS, supported elliptic-curve (EC) cryptography curves are restricted to the following:

P-256
P-384
P-521

{{% note %}} EC curve restrictions apply to TLS certificates. {{% /note %}}