Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is pfsense FIPS 140-2 complainant

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jridings
      last edited by

      Simple Yes or No question!  Is pfsense FIPS 140-2 complainant?  If YES, how do I go about getting a FIPS 140-2 complainant Certificate?

      Thanks,
      James

      1 Reply Last reply Reply Quote 0
      • M
        motific
        last edited by

        I don't believe it is compliant out of the box (feel free to correct me if I'm wrong on that), but it can be configured that way.

        As I understand it you require a validated build to match the certification (it must be a specific version built with specific options.)

        pfSense is based on FreeBSD and uses OpenSSL which does have FIPS 140-2 certifications that can be found at csrc.nist.gov searching on openssl as the vendor.

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          Doing a quick wiki, FIPS 140-2 is about physical security.

          Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

          It's logically impossible for software to comply with this.

          FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

          1 Reply Last reply Reply Quote 0
          • S
            Stewart
            last edited by

            @Harvy66:

            Doing a quick wiki, FIPS 140-2 is about physical security.

            Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

            It's logically impossible for software to comply with this.

            FIPS 140 seems to be about cryptographic modules. pfSense/FreeBSD may use some cryptographic modules, but are not themselves cryptographic modules.

            @jridings:  Perhaps a better question would be are "Netgate pfSense Security Gateway Appliances" FIPS 140-2 compliant?  Looking over the wiki it appears that any device could be compliant as long as it had a special certified encryption board.  It that case it is just about the physical hardware being certified and no off-the-shelf components will work.  Maybe if you installed a certified board into your build for it to do the cryptography work that would pass?  But finding one that has BSD drivers and getting it to work with pfSense could be a challenge.  I don't see anything that says the entire device must be certified, only the hardware responsible for encrypting but I'm not really sure on that.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.