FIPS and Octopus Deploy

Last updated

We take every reasonable effort to make Octopus Server, Tentacle and Calamari FIPS 140 compliant. If something is not FIPS 140 compliant we will take every reasonable effort to fix the problem, or otherwise degrade the feature gracefully.

What is FIPS?

The 140 series of Federal Information Processing Standards (FIPS) are U.S.governmentcomputer securitystandards that specify requirements for cryptography modules. The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government.

How is FIPS Enforced?

You can configure a Windows Server to enforce the use of FIPS 140 compliant cryptographic algorithms by configuring the Security Policy for System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms to Enabled. The effects of this security policy setting are far reaching, but the most common result you will see in .NET applications is where a System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms being thrown whenever you attempt to use one of the non-FIPS compliant APIs.

Known Issues

Some of the features in Octopus Deploy depend on third-party libraries to work correctly. The following features are known to be non-FIPS compliant and will fail, or degrade gracefully, when FIPS-compliance is required:

  • Parts of the Azure Service Management SDK are non-compliant:
    1. Deployments to Azure Cloud Services will not work.
    2. Deployments to Azure App Service (Web Apps, etc) will not work.
  • The Upload to S3 step uses MD5 hashes to detect which files have changed and therefore which files to upload. When FIPS-compliance is required, this step will upload each file regardless of whether they have changed or not.
  • Gravatar will be ignored since it relies on MD5-hashed email addresses. This only impacts the avatar which is displayed in the Octopus UI.
  • SSH targets using a Key Pair where the key is protected by a passphrase are affected by FIPS, however we still consider SSH communication to be secure:
    • All communication security and private key encryption uses FIPS compliant algorithms
    • The private key is encrypted with 3DES where the cipher key is generated by taking a multi-layered MD5 hash of the passphrase
    • The SSH server's identity is validated by comparing the MD5 hash of the server's public key

Found Something New?

Please contact our support team with details of the error and we will take every reasonable effort to fix the problem, or otherwise degrade the feature gracefully.