Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

Dell Encryption FIPS Compliance

Summary: The Federal Information Processing Standards (FIPS) are a ruleset that outline methods for how data is handled and processed by encryption algorithms on endpoints and across various communication channels. Dell Encryption leverages multiple encryption libraries, with the core encryption aspects controlled by a configurable cryptographic library. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

Affected Products:

  • Dell Encryption
  • Dell Data Protection | Encryption

In v10.1.0, Dell Encryption’s (formerly Dell Data Protection | Encryption) Policy-Based encryption uses the FIPS-validated cryptographic module RSA BSAFE Crypto Module. This new cryptographic provider is enabled by default on upgrade to Dell Encryption v10.1.0 or later if the CSSStartFlags DWord is not prepopulated.

This same change in cryptographic providers was made for Dell’s Software-based Full Disk Encryption in Dell Encryption v10.3.0.

RSA BSAFE Crypto Module operates in FIPS mode by default.

The FIPS certificate for RSA BSAFE Crypto Module is available on NIST CMVP here:

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3409 This hyperlink is taking you to a website outside of Dell Technologies.

Cause

Not Applicable

Resolution

Warning: The next step is a Windows Registry edit:

Policy-Based Encryption

A registry key can be modified to select a specific cryptoprovider and method of cryptology with, to modify the Cryptographic library that the Dell Encryption agent uses:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmgShieldFFE
DWORD: CssStartFlags

Various "Flags" can be set, with the options being:

0x80000000 BSAFE
0x80000010 BSAFE with reduced key security for higher performance
0x40000000 BCrypt
0x40000010 BCrypt with reduced key security for higher performance
0x20000000 CmgCrypt Non-Fips
0x20000010 CmgCrypt Non-Fips with reduced key security for higher performance
0x20000002 CmgCrypt FIPS

Dell Encryption’s Log files generate lines within the CMGshield.log file to indicate the mode that the cryptographic providers are operating in (Default location of C:\ProgramData\Dell\Dell Data Protection\Encryption\).

A line indicating the provider that is being loaded is represented by:

CffeEncrypterStartup -- Configuring RSA BSAFE Encryption
CffeEncrypterStartup -- Configuring MS BCRYPT Encryption
CffeEncrypterStartup -- Configuring CMG Crypt Encryption in FIPS Mode
CffeEncrypterStartup -- Configuring CMG Crypt Encryption in non-FIPS Mode
CffeEncrypterStartup -- Configuring RSA BSAFE Encryption for ambiguous specification of 0x%x

Beyond this line, another line is written outlining the value that was consumed in the registry:

CffeEncrypterStartup: Utilizing effective CssStartFlags configuration value Value in <Registry>
Note: Modifying the CSSStartFlags requires a reboot of the device for it to take effect. This registry value is consumed if it is present during the setup process, meaning the Dell Encryption client respects the value of the registry key and leverage that cryptographic library post upgrade or install.

If the Intel IPP flags are disabled or not present, Dell Encryption performs cryptographic operations by calling Dell’s FIPS-validated cryptographic library (operating in FIPS-mode).

When the Intel IPP Flags are enabled, the same cryptographic function calls are made to Dell’s FIPS-validated libraries, but the process is operating within the application in non-FIPS mode, and the encryption operations uses the Intel IPP library for improved performance.

To select the operation mode, modify (or create) the registry key:

HKLM\System\CurrentControlSet\Services\CmgShieldFFE
DWORD: UseIPPFlags
Value: 0 or 2 (decimal)

0 ENABLES the Intel IPP / AES NI functionality, forcing Dell Encryption cryptographic libraries to run in non-FIPS mode
2 DISABLES the Intel IPP / AES NI functionality, allowing Dell Encryption cryptographic libraries to run in FIPS mode.

    Administrators can validate the setting after this registry is set, post reboot using the CMGShield.log file:

    "CffeCSSLiteInit: Set fips mode to 1 returns 1 (0)" means that the cryptographic library is running in FIPS mode
    "CffeCSSLiteInit: Set fips mode to 0 returns 1 (0)" means that the cryptographic library is running in non-FIPS mode.
    
    Note: Dell Encryption for Mac always processes within a FIPS-validated mode, and no modifications by the Dell Encryption administrator are required.

    Dell Encryption’s legacy cryptographic provider of Credant’s CMGCrypto is no longer validated by NIST, though the former certification numbers are: 2156 and 2150

    Software-based Full Disk Encryption

    A registry key can be modified to select a specific cryptoprovider and method of cryptology with, to modify the Cryptographic library that the Dell Encryption agent uses:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DellFDE
    DWORD: Enable_Provider
    
    Various providers can be set, with the options being:
    
    0x00000001 Software-based AES
    0x00000002 Processor-driven AES-NI
    0x00000004 Microsoft BCrypt
    0x00000008 CSSLite-driven CmgCrypt (with reduced key security for increased performance)
    0x00000010 CSSLite-driven RSA’s BSAFE (with reduced key security for increased performance)
    0x00000020 CSSLite-driven Microsoft’s BCrypt (with reduced key security for increased performance)
    

    Dell Encryption’s Log files generate lines within the DellCommon.log file to indicate the mode that the cryptographic providers are operating in (Default location of C:\ProgramData\Dell\Dell Data Protection\).

    A line indicating the provider that is being loaded is represented by:

    FDE_Crypto_Common.c ==============> Using <PROVIDERNAMEHERE> Crypto Provider
    
    Note: Modifying the Enable_Provider registry requires a reboot of the device for it to take effect. This registry value is consumed if it is present during the setup process, meaning the Dell Encryption client respects the value of the registry key and leverage that cryptographic library post upgrade or install.

    FIPS mode is managed using Microsoft’s FIPS libraries, referenced as BCrypt. These options can be enabled using a Group Policy Object for remotely managed machines, which can be done through the Group Policy Management console on a computer that has the Remote System Administration Toolkit installed (located here: https://support.microsoft.com/en-us/help/2693643) This hyperlink is taking you to a website outside of Dell Technologies.

    Information on Microsoft’s implementation of the FIPS validated libraries can be found here: https://technet.microsoft.com/en-us/library/cc750357.aspx This hyperlink is taking you to a website outside of Dell Technologies.

    To review the FIPS Certifications for Microsoft’s cryptographic libraries that Dell Encryption’s Full Disk Encryption leverages, reference NIST.gov links:

    Remotely Managed devices using Active Directory

    To Enable using Group Policy Management Console (gpmc.msc):

    Select the Organizational Unit in which this change is required.

    Note: Dell Recommends testing and validating any Group Policy Object changes before applying the changes to production.

    Group Policy Management
    Figure 1: (English Only) Group Policy Management

    1. Name the new Group Policy Object.

    Name the Group Policy Object
    Figure 2: (English Only) Name the Group Policy Object

    1. Right-click the new Group Policy Object and select Edit.

    Edit the Group Policy Object
    Figure 3: (English Only) Edit the Group Policy Object

     
    Note: The policy in question is in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
    1. Right-click the policy and select properties to modify.

    Select Properties
    Figure 4: (English Only) Select Properties

    1. Enable the option to Define this policy setting, and then select the Enabled radial button.

    Enable Define this policy setting
    Figure 5: (English Only) Enable Define this policy setting

    1. Click apply.
    2. Close the Group Policy Management Editor.

    Once the devices are added to the Organizational Group, or any subgroup (excluding groups that have inheritance blocked), this new Group Policy Object applies to those devices as their Machine Group Policies update. The default setting for this update is every 2 hours, or on machine reboot.

    Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.

    Locally Managed Devices

    These options can also be enabled locally through the local Group Policy Editor (gpedit.msc) or through the Local Security Policy editor (secpol.msc).

    In the local Group Policy Editor

    The policy in question is in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.

    1. Right-click the policy and select properties to modify.

    Properties of the policy
    Figure 6: (English Only) Properties of the policy

    1. Enable the option to Define this policy setting, and then select the Enabled radial button.

    Enable Define this policy setting
    Figure 7: (English Only) Enable Define this policy setting

    1. Click apply.
    2. Close the Group Policy Management Editor.

    This new policy applies to those devices as their machine policies update. The default setting for this update is every 2 hours, or on machine reboot.

    Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.

    In Local Security Policy editor

    The policy in question is in Security Settings > Local Policies > Security Options. The title is System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.

    1. Right-click the policy and select properties to modify.

    Properties of Policy
    Figure 8: (English Only) Properties of Policy

    1. Enable the option to Define this policy setting, and then select the Enabled radial button.

    Enable Define this policy setting
    Figure 9: (English Only) Enable Define this policy setting

    1. Click apply.
    2. Close the Group Policy Management Editor.

    This new policy applies to those devices as their machine policies update. The default setting for this update is every 2 hours, or on machine reboot.

    Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.

    Enable using Registry entry

    Microsoft’s FIPS-compliant algorithms can also be enabled using registry. To enable FIPS-compliant libraries, you can modify the registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
    DWORD: Enabled
    Value: 1
    

    On reboot, this policy is set in effect. Once this policy is applied, once Dell’s software-based Full Disk Encryption is set to encrypt, the device is encrypted leveraging Microsoft’s FIPS-Compliant algorithms.


    To contact support, reference Dell Data Security International Support Phone Numbers.
    Go to TechDirect to generate a technical support request online.
    For additional insights and resources, join the Dell Security Community Forum.

    Affected Products

    Dell Encryption
    Article Properties
    Article Number: 000126015
    Article Type: Solution
    Last Modified: 08 máj 2024
    Version:  11
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.