--- title: FIPS-compliant InfluxDB Enterprise v1 builds description: InfluxDB Enterprise v1.11+ provides builds that are compliant with Federal Information Processing Standards (FIPS). url: https://docs.influxdata.com/enterprise_influxdb/v1/introduction/installation/fips-compliant/ estimated_tokens: 1827 product: InfluxDB Enterprise v1 version: v1 --- # FIPS-compliant InfluxDB Enterprise v1 builds InfluxDB Enterprise 1.11+ provides builds that are compliant with [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips). This page provides information on installing and using FIPS-compliant builds of InfluxDB Enterprise. - [Installation](#installation) - [Caveats and known issues](#caveats-and-known-issues) - [You must use a local license file](#you-must-use-a-local-license-file) - [Flux data source restrictions](#flux-data-source-restrictions) - [Disabled InfluxDB Insights monitoring](#disabled-influxdb-insights-monitoring) - [Only amd64 (x86) architectures](#only-amd64-x86-architectures) - [Security](#security) - [BoringCrypto cryptography library](#boringcrypto-cryptography-library) - [TLS](#tls) - [Digital signatures](#digital-signatures) - [RSA key size](#rsa-key-size) - [Elliptic-curve cryptography](#elliptic-curve-cryptography) ## Installation - **For new InfluxDB Enterprise clusters**: - Follow the regular [InfluxDB Enterprise installation instructions](/enterprise_influxdb/v1/introduction/installation/) using the FIPS-compliant packages. - Ensure that your meta and data node configuration files use a FIPS-compliant password hash that conforms to [NIST SP 800](https://www.nist.gov/itl/publications-0/nist-special-publication-800-series-general-information) and [OWASP](https://owasp.org/) guidelines. In both meta and data node configuration files, set `[meta].password-hash` to either `pbkdf2-sha256` or `pbkdf2-sha512`. Non-FIPS-compliant password hash configurations, like `bcrypt`, cause FIPS-compliant InfluxDB Enterprise builds to return an error on startup. - **Enable FIPS on an *existing* InfluxDB Enterprise cluster**: - Change the password hash from the non-FIPS-compliant default of `bcrypt` to a FIPS-compliant password hash (`pbkdf2-sha256` or `pbkdf2-sha512`), then restart all nodes. - Change passwords on at least one admin account. Any users with passwords that have not been updated will no longer work once FIPS-compliance is enabled. - Follow the process to upgrade a cluster, except use the FIPS-compliant packages. Please report any errors encountered when upgrading from a non-FIPS-compliant InfluxDB Enterprise build to FIPS-compliant build to [InfluxData support](https://support.influxdata.com). ## Caveats and known issues - [You must use a local license file](#you-must-use-a-local-license-file) - [Flux data source restrictions](#flux-data-source-restrictions) - [Disabled InfluxDB Insights monitoring](#disabled-influxdb-insights-monitoring) - [Only amd64 (x86) architectures](#only-amd64-x86-architectures) ### You must use a local license file When using a FIPS-compliant build of InfluxDB Enterprise, **you must use a local license file**. License keys do not work in FIPS mode. [Contact InfluxData support](https://support.influxdata.com) to request the license file. The `[enterprise]` section of your data and meta node configuration files contains the settings that registered each node with the InfluxDB Enterprise license portal. **In your data and meta node configuration files:** 1. Update the [`[enterprise].license-path` setting](/enterprise_influxdb/v1/administration/configure/config-data-nodes/#license-path) to point to your local license file. 2. Remove or comment out the `[enterprise].license-key` setting. ### Flux data source restrictions Flux queries that query or write to MSSQL, SQLServer, or Snowflake using [`sql.from`](/flux/v0/stdlib/sql/from/) or [`sql.to`](/flux/v0/stdlib/sql/to/) are not supported. ### Disabled InfluxDB Insights monitoring [InfluxDB Insights monitoring](https://www.influxdata.com/products/influxdb-insights/) has not been validated as compatible with FIPS-compliance in InfluxDB Enterprise and is not available when using a FIPS-compliant InfluxDB Enterprise build. ### Only amd64 (x86) architectures FIPS-compliant InfluxDB Enterprise builds only support the amd64 architecture. ## Security To comply with FIPS standards, the following security practices are applied to FIPS-compliant InfluxDB Enterprise builds: - [BoringCrypto cryptography library](#boringcrypto-cryptography-library) - [TLS](#tls) - [Digital signatures](#digital-signatures) - [RSA key size](#rsa-key-size) - [Elliptic-curve cryptography](#elliptic-curve-cryptography) ### BoringCrypto cryptography library InfluxDB Enterprise FIPS-compliant builds use the FIPS-validated [BoringCrypto cryptography library](https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md). ### TLS As mandated by FIPS, TLS uses a restricted set of functionality: - TLS 1.2 only - TLS only supports the following cipher suites: - ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 - ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 - ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 - ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 - RSA\_WITH\_AES\_128\_GCM\_SHA256 - RSA\_WITH\_AES\_256\_GCM\_SHA384 ### Digital signatures As mandated by FIPS, supported digital signatures are limited to the following signature algorithms: - PSSWithSHA256 - PSSWithSHA384 - PSSWithSHA512 - PKCS1WithSHA256 - ECDSAWithP256AndSHA256 - PKCS1WithSHA384 - ECDSAWithP384AndSHA384 - PKCS1WithSHA512 - ECDSAWithP521AndSHA512 Digital signature restrictions apply to TLS certificates. ### RSA key size As mandated by FIPS, RSA keys are restricted to the following sizes: - 2048 - 3072 RSA key size restrictions apply to TLS certificates. ### Elliptic-curve cryptography As mandated by FIPS, supported elliptic-curve (EC) cryptography curves are restricted to the following: - P-256 - P-384 - P-521 EC curve restrictions apply to TLS certificates.