Jarrod's picture

So this is my first post and it is kind of coming from a very fresh mind. I am essentially trying to create a secure file transfer solution and Owncloud seems to fit that bill. However for compliance purposes the server should use FIPS 140-2 and I was not sure how to go about getting that setup on a Turnkey server.

Does anyone have experience with using these appliances in a compliance space where additional hardening is an order?

Anyone know about FIPS and how it can be configured on say the Owncloud appliance provided here?

Any direction is greatly appreciated.

Cheers!

Forum: 
Tags: 
Jeremy Davis's picture

TBH, I didn't even know what "FIPS mode" is until you asked and I googled!

First up, from what I can gather, the FIPS 140-2 spec has recently been superseded by FIPS 140-3.

Furthermore, whilst it appears that some OS provide a "FIPS mode", FIPS is a standard rather than a "mode". What the "FIPS mode" appears to do is disable any uncompliant encryption modules. Unfortunately, the only Debian (the OS basis of TurnKey) reference I could find regarding FIPS was PartmanCrypto (an installer module that supports encrypted partitions) so I'm not 100% sure how directly relevant it is. It mentions use of 'rng-tools' to test for FIPS compliance of RNG (random number generation). There actually appears to be 2 different 'rng-tools' packages (here and here) and I'm not really clear on which would be the better, nor whether that will give you anything much (other than testing your hardware) on the path to FIPS compliance.

Going on from that, my reading suggests that for FIPS compliance, you'll likely need to use an encrypted filesystem. Whilst that is theoretically possible in TurnKey (because it's based on Debian) I've never done it and I'm not sure how hard it might be. FWIW it's not possible via the TurnKey installer wrapper (wraps around the Debian installer; but doesn't have support for PartmanCrypto). So you'd need to do that post install and will likely take some fiddling.

And that's all before you get to ownCloud itself. I did do a bit of googling, but couldn't find much specific info on FIPS compliance with ownCloud (or Nextcloud for that matter - Nc is a fork of oC). The only thing I did find was an alternate (hosted i.e. SaaS) product called Filecloud. I won't provide a link because I don't like to give free plugs to paid proprietary software that I've never used myself, but you should be able to find it via google. According to them neither ownCloud nor Nextcloud provide FIPS compliance (my reading suggests that the encryption module that ownCloud uses by default is not FIPS compliant); but apparently Filecloud do... So whilst I'm generally not a big fan of proprietary SaaS apps, perhaps that might be the easiest and cheapest way to go?

Bottom line is that if FIPS compliance is required, I think either you'll need to speak with (likely hire on a contract basis) someone who knows what they are doing and can guide you along the way. I suspect that it might be possible to get TurnKey ownCloud (or Nextcloud) FIPS compliant, but my guess is that it will be a pain and be quite expensive, both in money initially (possibly making OS and/or software modifications which will need to be maintained), and time/money for ongoing maintenance. By my fairly minimal understanding it appears that only specific code is FIPS compliant (or not) so ironically, you may need to use older software packages, rather than newer ones (which may include security fixes). AFAIK that only relates to the packages which provide the encryption itself (e.g. OpenSSL, OpenSSH, etc). To have emulate a "FIPS mode" you'll need to ensure that you have only FIPS compliant encryption modules loaded and that all the relevant software is using the correct algorithms (and doesn't allow access to non-compliant ones). So you should definitely not have automated updates installing.

If you wish to push on with the "self hosted" option, then I have an alternate suggestion. Whilst I'm not generally in the habit of encouraging users to use a non-TurnKey OS, a alternative path that I suspect might be cheaper and easier (than getting TurnKey FIPS compliant) would be to purchase something off the shelf that is FIPS compliant. Ubuntu apparently provide FIPS compliance (for Ubuntu servers) via the "Ubuntu Advantage for Infrastructure" ($750/year per server; or $250/year per VM - in a pack of 10). So that may well be the best way to go with it? Red Hat and Amazon Linux may also be worthy of consideration (Amazon Linux is free, but only runs on AWS; if you go that way you'll need to also ensure that you only use FIPS compliant AWS endpoints to control your server).

I'm not sure how much value my research provides, but hopefully it gives you some ideas. If you have further questions, I'll do my best to answer, but not sure how much more I can add. Regardless, please post back and let us know how you end up going.

Jarrod's picture

Thank You Jeremy for your detailed response. I totally agree with your feedback. Some of the SFTP products I have been looking at do indeed have a switch to turn on FIPS compliant encryption and I think that all relies on the underlying OS and available encryption methods.

I have been on the hunt for a SaaS product and have come accross quite a few but they all tend to be very pricey hence why I am trying to vet out the comlpexity of this solution and possibly build something myself. If the OS can install the FIPS compliant Encryption methods and the software can be forced to use it, and the Drives are encrypted with a FIPS compliant encryption than the solution should not be too difficult to create. For instance I understand that Windows 10 Bitlocker has FIPS compliant options using Local Group Policy, and FileZilla And OpenSSL can be used to make Filezilla compliant, and though this is an option I was hoping to find a similar Canned option from Turnkey, But I know thats a big ask.

 

Thanks again and If and when I have my solution figured Out I will try to circle back to let everyone know what worked for me.

 

 

Jeremy Davis's picture

If you can get FIPS compliance on TurnKey, I'd certainly love to hear. Because of the certification requirements (and the associated time and money costs) I don't think that it is likely we'd offer packaged "FIPS compliance". I suspect that the costs would be fairly high (hence why the SaaS products can get away with charging crazy prices). But it would be great to have a better understanding of what is required from a pragmatic sense.

Good luck with it all and look forward to hearing how you go. Even if you go with a completely non-TurnKey Linux solution, please post back.

(PS I remove the dupe post)

Add new comment