« Elastic Agent configuration encryption Secure Elastic Agent connections »
Elastic Docs Fleet and Elastic Agent Guide [8.19]

FIPS mode for Ingest tools

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

FIPS mode for Ingest tools

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server binaries are built and are configured to use FIPS 140-2 compliant cryptography. Generally speaking FIPS 140-2 requirements can be summarized as:

  • linking against a FIPS certified cryptographic library
  • using only FIPS approved cryptographic functions
  • ensuring that the configuration of the component is FIPS 140-2 compliant.

FIPS-compatible binaries and configuration

edit

FIPS compatible binaries for Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server are available for download. Look for the Linux 64-bit (FIPS) or Linux aarch64 (FIPS) platform option on the product download pages for Elastic Agent and Fleet, Filebeat, and Metricbeat. Look for the Linux x86_64 (FIPS) or Linux aarch64 (FIPS) platform option on the APM Server download page.

The default configurations provided in the binaries are FIPS compatible. Be sure to check and understand the implications of changing default configurations.

Limitations

edit

TLS

edit

Only FIPS 140-2 compliant TLS protocols, ciphers, and curve types are allowed to be used:

  • The supported TLS versions are TLS v1.2 and TLS v1.3.

  • The supported cipher suites are:

    • TLS v1.2: ECDHE-RSA-AES-128-GCM-SHA256, ECDHE-RSA-AES-256-GCM-SHA384, ECDHE-ECDSA-AES-128-GCM-SHA256, ECDHE-ECDSA-AES-256-GCM-SHA384
    • TLS v1.3: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384
  • The supported curve types are P-256, P-384 and P-521.

Support for encrypted private keys is not available, as the cryptographic modules used for decrypting password protected keys are not FIPS validated. If an output or any other component with an SSL key that is password protected is configured, the components will fail to load the key. When running in FIPS mode, you must provide non-encrypted keys. Be sure to enforce security in your FIPS environments through other means, such as strict file permissions and access controls on the key file itself, for example.

These TLS related restrictions apply to all components listed—​Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server.

General output and input limitations (Kerberos protocol)

edit

The Kerberos protocol is not supported for any output or input, which also impacts the available sasl.mechanism for the Kafka output where only PLAIN is supported.

This impacts Filebeat, Metricbeat, and APM Server, as well as output configurations for Elastic Agent with Fleet Server.

APM Server

edit

Filebeat

edit

Metricbeat

edit

Elastic Agent and Fleet Server

edit

When you use Elastic Agent and Fleet Server, these limitations apply:

  • Running Elastic Agent in OpenTelemetry mode is not yet supported. This includes all receivers, such as Filebeat Receiver, Metricbeat Receiver, and Prometheus Receiver.
  • Some Elastic Integrations are not FIPS compatible, as they depend on functionality that is not yet supported for FIPS configuration. In general, when using Elastic Agent and Fleet Server, the same restrictions listed previously for Metricbeat and Filebeat modules, inputs, and processors apply.

Elastic Integrations that are not FIPS compatible

edit

These Elastic Integrations have components that are not FIPS compatible, and cannot be used in FIPS environments, even if combined with other ingest tools that offer FIPS mode.

« Elastic Agent configuration encryption Secure Elastic Agent connections »