--- title: FIPS-compliant InfluxDB Enterprise v1 builds description: InfluxDB Enterprise v1.11+ provides builds that are compliant with Federal Information Processing Standards (FIPS). url: https://docs.influxdata.com/enterprise_influxdb/v1/introduction/installation/fips-compliant/ estimated_tokens: 1452 publisher: InfluxData canonical: https://docs.influxdata.com/enterprise_influxdb/v1/introduction/installation/fips-compliant/ date: '2025-10-24T12:52:47-05:00' lastmod: '2025-10-24T12:52:47-05:00' --- InfluxDB Enterprise 1.11+ provides builds that are compliant with[Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips). This page provides information on installing and using FIPS-compliant builds of InfluxDB Enterprise. * [Installation](#installation) * [Caveats and known issues](#caveats-and-known-issues) * [You must use a local license file](#you-must-use-a-local-license-file) * [Flux data source restrictions](#flux-data-source-restrictions) * [Disabled InfluxDB Insights monitoring](#disabled-influxdb-insights-monitoring) * [Only amd64 (x86) architectures](#only-amd64-x86-architectures) * [Security](#security) * [BoringCrypto cryptography library](#boringcrypto-cryptography-library) * [TLS](#tls) * [Digital signatures](#digital-signatures) * [RSA key size](#rsa-key-size) * [Elliptic-curve cryptography](#elliptic-curve-cryptography) ## Installation * **For new InfluxDB Enterprise clusters**: * Follow the regular [InfluxDB Enterprise installation instructions](/enterprise_influxdb/v1/introduction/installation/)using the FIPS-compliant packages. * Ensure that your meta and data node configuration files use a FIPS-compliant password hash that conforms to[NIST SP 800](https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information)and [OWASP](https://owasp.org/) guidelines. In both meta and data node configuration files, set `[meta].password-hash` to either `pbkdf2-sha256` or `pbkdf2-sha512`. Non-FIPS-compliant password hash configurations, like `bcrypt`, cause FIPS-compliant InfluxDB Enterprise builds to return an error on startup. * **Enable FIPS on an *existing* InfluxDB Enterprise cluster**: * Change the password hash from the non-FIPS-compliant default of `bcrypt` to a FIPS-compliant password hash (`pbkdf2-sha256` or `pbkdf2-sha512`), then restart all nodes. * Change passwords on at least one admin account. Any users with passwords that have not been updated will no longer work once FIPS-compliance is enabled. * Follow the process to upgrade a cluster, except use the FIPS-compliant packages. > [!Note] > Please report any errors encountered when upgrading from a non-FIPS-compliant > InfluxDB Enterprise build to FIPS-compliant build to [InfluxData support](https://support.influxdata.com). ## Caveats and known issues * [You must use a local license file](#you-must-use-a-local-license-file) * [Flux data source restrictions](#flux-data-source-restrictions) * [Disabled InfluxDB Insights monitoring](#disabled-influxdb-insights-monitoring) * [Only amd64 (x86) architectures](#only-amd64-x86-architectures) ### You must use a local license file When using a FIPS-compliant build of InfluxDB Enterprise,**you must use a local license file**. License keys do not work in FIPS mode.[Contact InfluxData support](https://support.influxdata.com) to request the license file. The `[enterprise]` section of your data and meta node configuration files contains the settings that registered each node with the InfluxDB Enterprise license portal. **In your data and meta node configuration files:** 1. Update the [`[enterprise].license-path` setting](/enterprise_influxdb/v1/administration/configure/config-data-nodes/#license-path)to point to your local license file. 2. Remove or comment out the `[enterprise].license-key` setting. ### Flux data source restrictions Flux queries that query or write to MSSQL, SQLServer, or Snowflake using[`sql.from`](/flux/v0/stdlib/sql/from/) or [`sql.to`](/flux/v0/stdlib/sql/to/)are not supported. ### Disabled InfluxDB Insights monitoring [InfluxDB Insights monitoring](https://www.influxdata.com/products/influxdb-insights/)has not been validated as compatible with FIPS-compliance in InfluxDB Enterprise and is not available when using a FIPS-compliant InfluxDB Enterprise build. ### Only amd64 (x86) architectures FIPS-compliant InfluxDB Enterprise builds only support the amd64 architecture. ## Security To comply with FIPS standards, the following security practices are applied to FIPS-compliant InfluxDB Enterprise builds: * [BoringCrypto cryptography library](#boringcrypto-cryptography-library) * [TLS](#tls) * [Digital signatures](#digital-signatures) * [RSA key size](#rsa-key-size) * [Elliptic-curve cryptography](#elliptic-curve-cryptography) ### BoringCrypto cryptography library InfluxDB Enterprise FIPS-compliant builds use the FIPS-validated[BoringCrypto cryptography library](https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md). ### TLS As mandated by FIPS, TLS uses a restricted set of functionality: * TLS 1.2 only * TLS only supports the following cipher suites: * ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 * ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 * RSA\_WITH\_AES\_128\_GCM\_SHA256 * RSA\_WITH\_AES\_256\_GCM\_SHA384 ### Digital signatures As mandated by FIPS, supported digital signatures are limited to the following signature algorithms: * PSSWithSHA256 * PSSWithSHA384 * PSSWithSHA512 * PKCS1WithSHA256 * ECDSAWithP256AndSHA256 * PKCS1WithSHA384 * ECDSAWithP384AndSHA384 * PKCS1WithSHA512 * ECDSAWithP521AndSHA512 > [!Note] > Digital signature restrictions apply to TLS certificates. ### RSA key size As mandated by FIPS, RSA keys are restricted to the following sizes: * 2048 * 3072 > [!Note] > RSA key size restrictions apply to TLS certificates. ### Elliptic-curve cryptography As mandated by FIPS, supported elliptic-curve (EC) cryptography curves are restricted to the following: * P-256 * P-384 * P-521 EC curve restrictions apply to TLS certificates.