Enable FIPS mode with PGP Command Line Permanently
search cancel

Enable FIPS mode with PGP Command Line Permanently

book

Article ID: 267847

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Command Line for Windows has the capability to run in FIPS mode.

NOTE: This functionality is not available for any Unix servers running PGP Command Line currently.

There are two methods to run in FIPS mode:

Method 1: Per Command (Using --fips for each command)

Method 2: Permanently (Using an environment variable in the operating system)

This article will go over both methods and some examples for each operating system. 

Resolution

PGP Command Line FIPS Mode Individually (Per Command)

If you need use "FIPS" mode running any of the commands, simply add "--fips" to the end of each of those commands and the FIPS mode will apply to the commands individually.

When you run a command in FIPS mode, the following message will appear:

"Warning: PGPsdk running in FIPS mode."

 

For example, to generate a PGP Key with PGP Command Line while in FIPS mode, run the following:

pgp --gen-key "JoeFIPS" --key-type RSA --bits 4096 --passphrase "passphrase here" --fips

 

When this command is run, the following would appear:

Command 1:

pgp --gen-key "JoeFIPS" --key-type rsa --bits 4096 --passphrase "JoeFIPS" --fips
Warning: PGPsdk running in FIPS mode.
JoeFIPS:generate key (2078:non-standard user ID)
Acquiring entropy from system state....done
Generating key JoeFIPS
progress.....................**** ...............**** done
0xF9D078F5:generate key (0:key successfully generated)
Acquiring entropy from system state....done
Generating subkey
progress...**** ....................................................................................................................................................................***** done
0xBAE71D5F:generate key (0:subkey successfully generated)

 

Command 2:

pgp --list --fips
Warning: PGPsdk running in FIPS mode.
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found

 

 The FIPS functionality can be applied to only Windows operation systems.  To have this available for Linux/AIX/HPUX or macOS, please reach out to Symantec Encryption Support for further guidance.

 

Enable FIPS Mode for Windows systems

Note: FIPS Mode is not supported on Linux, macOS, AIX, or HPUX Operating Systems.

In order to enable FIPS mode on Windows systems permanently, it is easiest to add an "Environmental Variable".

To do so, open up your Advanced Settings on your Windows system:

Then click on the "Environment Variables" button (above), and click on "New" under System variable (below).

Enter "PGP_FIPS_MODE" for the "Variable name", and "True" for the variable value:

Validate PGP Command Line is running in FIPS Mode
Once this has been entered, reboot the system and run the following command to validate that FIPS mode is now permanently enabled:

pgp --list 

If the PGP Command Line is running in FIPS mode, the following message will be seen:

C:\Users\JoeFIPS>pgp --list
Warning: PGPsdk running in FIPS mode.
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found

 

If the above is still not working, or you would like to enable FIPS mode in Linux/AIX/macOS, please reach out to Symantec Encryption Support for further guidance and mention this article.

EPG-31894
IMSFR-23

Additional Information

180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys

180234 - HOW TO: License PGP Command Line 10.x

153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line

158454 - Using PGP Command Line

263777 - Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line

 

178330 - FIPS 140-2 certification status for the PGP product line cryptographic module

150141 - FIPS 140-2 certification status for the Symantec Endpoint Encryption 11 cryptographic module

267847 - Enable FIPS mode with PGP Command Line Permanently