This article provides the steps to enable FIPS encryption in a vSphere environment.

FIPS is enabled by default for an ESXi host version greater than 6.7u2. However, FIPS for an SSH connection to an ESXi host needs to be enabled manually.

VMware vCenter Server 6.7.2.x, 7.x and 8.x

VMware ESXi 6.7.2.x, 7.x and 8.x

• FIPS for SSH connection to ESXi host:

  • Login to ESXi host via Putty client (SSH)

  • Check the current status of FIPS via SSH:

    • esxcli system security fips140 ssh get

    • The output should be similar to:

    • 

  • To enable it, run the following:

    • esxcli system security fips140 ssh set -e true

• FIPS for VM Encryption:

  • FIPS comes into play while enabling Virtual Machine encryption with Native Key Provider, which by default, is FIPS140-2(level 1) compliant. For further information, please refer to vSphere Native Key Provider (NKP) Questions & Answers.

• FIPS for vCenter Server:

  • Additional steps are required to be performed to enable FIPS for vCenter server, review the Pre-requisites/Considerations before enabling FIPS as per Considerations When Using FIPS.

  • Please refer to Enable and Disable FIPS on the vCenter Server Appliance.

FIPS validated modules used in ESXi Host 

vCenter Server and FIPS