PGP Command Line for Windows has the capability to run in FIPS mode.
NOTE: This functionality is not available for any Unix servers running PGP Command Line currently.
There are two methods to run in FIPS mode:
Method 1: Per Command (Using --fips for each command)
Method 2: Permanently (Using an environment variable in the operating system)
This article will go over both methods and some examples for each operating system.
PGP Command Line FIPS Mode Individually (Per Command)
If you need use "FIPS" mode running any of the commands, simply add "--fips" to the end of each of those commands and the FIPS mode will apply to the commands individually.
When you run a command in FIPS mode, the following message will appear:
"Warning: PGPsdk running in FIPS mode."
For example, to generate a PGP Key with PGP Command Line while in FIPS mode, run the following:
pgp --gen-key "JoeFIPS" --key-type RSA --bits 4096 --passphrase "passphrase here" --fips
When this command is run, the following would appear:
Command 1:
pgp --gen-key "JoeFIPS" --key-type rsa --bits 4096 --passphrase "JoeFIPS" --fips
Warning: PGPsdk running in FIPS mode.
JoeFIPS:generate key (2078:non-standard user ID)
Acquiring entropy from system state....done
Generating key JoeFIPS
progress.....................**** ...............**** done
0xF9D078F5:generate key (0:key successfully generated)
Acquiring entropy from system state....done
Generating subkey
progress...**** ....................................................................................................................................................................***** done
0xBAE71D5F:generate key (0:subkey successfully generated)
Command 2:
pgp --list --fips
Warning: PGPsdk running in FIPS mode.
Alg Type Size/Type Flags Key ID User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found
The FIPS functionality can be applied to only Windows operation systems. To have this available for Linux/AIX/HPUX or macOS, please reach out to Symantec Encryption Support for further guidance.
Note: FIPS Mode is not supported on Linux, macOS, AIX, or HPUX Operating Systems.
In order to enable FIPS mode on Windows systems permanently, it is easiest to add an "Environmental Variable".
To do so, open up your Advanced Settings on your Windows system:
Then click on the "Environment Variables" button (above), and click on "New" under System variable (below).
Enter "PGP_FIPS_MODE" for the "Variable name", and "True" for the variable value:
Validate PGP Command Line is running in FIPS Mode
Once this has been entered, reboot the system and run the following command to validate that FIPS mode is now permanently enabled:
pgp --list
If the PGP Command Line is running in FIPS mode, the following message will be seen:
C:\Users\JoeFIPS>pgp --list
Warning: PGPsdk running in FIPS mode.
Alg Type Size/Type Flags Key ID User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0xF9D078F5 JoeFIPS
1 keys found
If the above is still not working, or you would like to enable FIPS mode in Linux/AIX/macOS, please reach out to Symantec Encryption Support for further guidance and mention this article.
EPG-31894
IMSFR-23
180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys
180234 - HOW TO: License PGP Command Line 10.x
153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line
158454 - Using PGP Command Line
263777 - Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line
178330 - FIPS 140-2 certification status for the PGP product line cryptographic module