Dell Encryption FIPS Compliance
Summary: The Federal Information Processing Standards (FIPS) are a ruleset that outline methods for how data is handled and processed by encryption algorithms on endpoints and across various communication channels. Dell Encryption leverages multiple encryption libraries, with the core encryption aspects controlled by a configurable cryptographic library. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Affected Products:
- Dell Encryption
- Dell Data Protection | Encryption
In v10.1.0, Dell Encryption’s (formerly Dell Data Protection | Encryption) Policy-Based encryption uses the FIPS-validated cryptographic module RSA BSAFE Crypto Module. This new cryptographic provider is enabled by default on upgrade to Dell Encryption v10.1.0 or later if the CSSStartFlags DWord is not prepopulated.
This same change in cryptographic providers was made for Dell’s Software-based Full Disk Encryption in Dell Encryption v10.3.0.
RSA BSAFE Crypto Module operates in FIPS mode by default.
The FIPS certificate for RSA BSAFE Crypto Module is available on NIST CMVP here:
https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3409
Cause
Not Applicable
Resolution
Warning: The next step is a Windows Registry edit:
- Back up the Registry before proceeding, reference How to Back Up and Restore the Registry in Windows
.
- Editing the Registry can cause the computer to become unresponsive on the next reboot.
- Contact Dell Data Security International Support Phone Numbers for assistance if you have concerns about performing this step.
Policy-Based Encryption
A registry key can be modified to select a specific cryptoprovider and method of cryptology with, to modify the Cryptographic library that the Dell Encryption agent uses:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmgShieldFFE DWORD: CssStartFlags Various "Flags" can be set, with the options being: 0x80000000 BSAFE 0x80000010 BSAFE with reduced key security for higher performance 0x40000000 BCrypt 0x40000010 BCrypt with reduced key security for higher performance 0x20000000 CmgCrypt Non-Fips 0x20000010 CmgCrypt Non-Fips with reduced key security for higher performance 0x20000002 CmgCrypt FIPS
Dell Encryption’s Log files generate lines within the CMGshield.log file to indicate the mode that the cryptographic providers are operating in (Default location of C:\ProgramData\Dell\Dell Data Protection\Encryption\).
A line indicating the provider that is being loaded is represented by:
CffeEncrypterStartup -- Configuring RSA BSAFE Encryption CffeEncrypterStartup -- Configuring MS BCRYPT Encryption CffeEncrypterStartup -- Configuring CMG Crypt Encryption in FIPS Mode CffeEncrypterStartup -- Configuring CMG Crypt Encryption in non-FIPS Mode CffeEncrypterStartup -- Configuring RSA BSAFE Encryption for ambiguous specification of 0x%x
Beyond this line, another line is written outlining the value that was consumed in the registry:
CffeEncrypterStartup: Utilizing effective CssStartFlags configuration value Value in <Registry>
Note: Modifying the CSSStartFlags requires a reboot of the device for it to take effect. This registry value is consumed if it is present during the setup process, meaning the Dell Encryption client respects the value of the registry key and leverage that cryptographic library post upgrade or install.
If the Intel IPP flags are disabled or not present, Dell Encryption performs cryptographic operations by calling Dell’s FIPS-validated cryptographic library (operating in FIPS-mode).
When the Intel IPP Flags are enabled, the same cryptographic function calls are made to Dell’s FIPS-validated libraries, but the process is operating within the application in non-FIPS mode, and the encryption operations uses the Intel IPP library for improved performance.
To select the operation mode, modify (or create) the registry key:
HKLM\System\CurrentControlSet\Services\CmgShieldFFE DWORD: UseIPPFlags Value: 0 or 2 (decimal) 0 ENABLES the Intel IPP / AES NI functionality, forcing Dell Encryption cryptographic libraries to run in non-FIPS mode 2 DISABLES the Intel IPP / AES NI functionality, allowing Dell Encryption cryptographic libraries to run in FIPS mode.
Administrators can validate the setting after this registry is set, post reboot using the CMGShield.log file:
"CffeCSSLiteInit: Set fips mode to 1 returns 1 (0)" means that the cryptographic library is running in FIPS mode "CffeCSSLiteInit: Set fips mode to 0 returns 1 (0)" means that the cryptographic library is running in non-FIPS mode.
Note: Dell Encryption for Mac always processes within a FIPS-validated mode, and no modifications by the Dell Encryption administrator are required.
Dell Encryption’s legacy cryptographic provider of Credant’s CMGCrypto is no longer validated by NIST, though the former certification numbers are: 2156 and 2150
Software-based Full Disk Encryption
A registry key can be modified to select a specific cryptoprovider and method of cryptology with, to modify the Cryptographic library that the Dell Encryption agent uses:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DellFDE DWORD: Enable_Provider Various providers can be set, with the options being: 0x00000001 Software-based AES 0x00000002 Processor-driven AES-NI 0x00000004 Microsoft BCrypt 0x00000008 CSSLite-driven CmgCrypt (with reduced key security for increased performance) 0x00000010 CSSLite-driven RSA’s BSAFE (with reduced key security for increased performance) 0x00000020 CSSLite-driven Microsoft’s BCrypt (with reduced key security for increased performance)
Dell Encryption’s Log files generate lines within the DellCommon.log file to indicate the mode that the cryptographic providers are operating in (Default location of C:\ProgramData\Dell\Dell Data Protection\).
A line indicating the provider that is being loaded is represented by:
FDE_Crypto_Common.c ==============> Using <PROVIDERNAMEHERE> Crypto Provider
Note: Modifying the Enable_Provider registry requires a reboot of the device for it to take effect. This registry value is consumed if it is present during the setup process, meaning the Dell Encryption client respects the value of the registry key and leverage that cryptographic library post upgrade or install.
FIPS mode is managed using Microsoft’s FIPS libraries, referenced as BCrypt. These options can be enabled using a Group Policy Object for remotely managed machines, which can be done through the Group Policy Management console on a computer that has the Remote System Administration Toolkit installed (located here: https://support.microsoft.com/en-us/help/2693643)
Information on Microsoft’s implementation of the FIPS validated libraries can be found here: https://technet.microsoft.com/en-us/library/cc750357.aspx
To review the FIPS Certifications for Microsoft’s cryptographic libraries that Dell Encryption’s Full Disk Encryption leverages, reference NIST.gov links:
- Level 2 Certificate for Cryptographic Primitives: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3094
- Level 2 Certificate for Kernel Cryptographic functions: https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3095
Remotely Managed devices using Active Directory
To Enable using Group Policy Management Console (gpmc.msc):
Select the Organizational Unit in which this change is required.
Note: Dell Recommends testing and validating any Group Policy Object changes before applying the changes to production.
Figure 1: (English Only) Group Policy Management
- Name the new Group Policy Object.
Figure 2: (English Only) Name the Group Policy Object
- Right-click the new Group Policy Object and select Edit.
Figure 3: (English Only) Edit the Group Policy Object
Note: The policy in question is in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
- Right-click the policy and select properties to modify.
Figure 4: (English Only) Select Properties
- Enable the option to Define this policy setting, and then select the Enabled radial button.
Figure 5: (English Only) Enable Define this policy setting
- Click apply.
- Close the Group Policy Management Editor.
Once the devices are added to the Organizational Group, or any subgroup (excluding groups that have inheritance blocked), this new Group Policy Object applies to those devices as their Machine Group Policies update. The default setting for this update is every 2 hours, or on machine reboot.
Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.
Locally Managed Devices
These options can also be enabled locally through the local Group Policy Editor (gpedit.msc) or through the Local Security Policy editor (secpol.msc).
In the local Group Policy Editor
The policy in question is in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
- Right-click the policy and select properties to modify.
Figure 6: (English Only) Properties of the policy
- Enable the option to Define this policy setting, and then select the Enabled radial button.
Figure 7: (English Only) Enable Define this policy setting
- Click apply.
- Close the Group Policy Management Editor.
This new policy applies to those devices as their machine policies update. The default setting for this update is every 2 hours, or on machine reboot.
Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.
In Local Security Policy editor
The policy in question is in Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
- Right-click the policy and select properties to modify.
Figure 8: (English Only) Properties of Policy
- Enable the option to Define this policy setting, and then select the Enabled radial button.
Figure 9: (English Only) Enable Define this policy setting
- Click apply.
- Close the Group Policy Management Editor.
This new policy applies to those devices as their machine policies update. The default setting for this update is every 2 hours, or on machine reboot.
Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.
Enable using Registry entry
Microsoft’s FIPS-compliant algorithms can also be enabled using registry. To enable FIPS-compliant libraries, you can modify the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy DWORD: Enabled Value: 1
On reboot, this policy is set in effect. Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
Affected Products
Dell EncryptionArticle Properties
Article Number: 000126015
Article Type: Solution
Last Modified: 08 máj 2024
Version: 11
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.