Enable FIPS mode with PGP Command Line Permanently

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Command Line for Windows has the capability to run in FIPS mode.

NOTE: This functionality is not available for any Unix servers running PGP Command Line currently.

There are two methods to run in FIPS mode:

Method 1: Per Command (Using --fips for each command)

Method 2: Permanently (Using an environment variable in the operating system)

This article will go over both methods and some examples for each operating system.

Resolution

PGP Command Line FIPS Mode Individually (Per Command)

If you need use "FIPS" mode running any of the commands, simply add "--fips" to the end of each of those commands and the FIPS mode will apply to the commands individually.

When you run a command in FIPS mode, the following message will appear:

"Warning: PGPsdk running in FIPS mode."

For example, to generate a PGP Key with PGP Command Line while in FIPS mode, run the following:

pgp --gen-key "JoeFIPS" --key-type RSA --bits 4096 --passphrase "passphrase here" --fips

When this command is run, the following would appear:

Command 1:

pgp --gen-key "JoeFIPS" --key-type rsa --bits 4096 --passphrase "JoeFIPS" --fips
Warning: PGPsdk running in FIPS mode.
JoeFIPS:generate key (2078:non-standard user ID)
Acquiring entropy from system state....done
Generating key JoeFIPS
progress.....................**** ...............**** done
0xF9D078F5:generate key (0:key successfully generated)
Acquiring entropy from system state....done
Generating subkey
progress...**** ....................................................................................................................................................................***** done
0xBAE71D5F:generate key (0:subkey successfully generated)

Command 2:

pgp --list --fips
Warning: PGPsdk running in FIPS mode.
Alg Type Size/Type Flags Key ID User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found

The FIPS functionality can be applied to only Windows operation systems. To have this available for Linux/AIX/HPUX or macOS, please reach out to Symantec Encryption Support for further guidance.

Enable FIPS Mode for Windows systems

Note: FIPS Mode is not supported on Linux, macOS, AIX, or HPUX Operating Systems.

In order to enable FIPS mode on Windows systems permanently, it is easiest to add an "Environmental Variable".

To do so, open up your Advanced Settings on your Windows system:

Then click on the "Environment Variables" button (above), and click on "New" under System variable (below).

Enter "PGP_FIPS_MODE" for the "Variable name", and "True" for the variable value:

Validate PGP Command Line is running in FIPS Mode
Once this has been entered, reboot the system and run the following command to validate that FIPS mode is now permanently enabled:

pgp --list

If the PGP Command Line is running in FIPS mode, the following message will be seen:

C:\Users\JoeFIPS>pgp --list
Warning: PGPsdk running in FIPS mode.
Alg Type Size/Type Flags Key ID User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found

If the above is still not working, or you would like to enable FIPS mode in Linux/AIX/macOS, please reach out to Symantec Encryption Support for further guidance and mention this article.

EPG-31894
IMSFR-23