Can BackupChain run in FIPS Mode?

In order to run BackupChain in FIPS mode, your need to run Windows itself in FIPS mode. The instructions to enable FIPS are shown below.

Enabling FIPS Mode in Windows

To enable FIPS mode on a Windows machine, you have a few options depending on your system configuration. FIPS mode ensures that only FIPS-compliant algorithms for encryption, hashing, and signing are used, which is often required for government agencies or organizations handling sensitive data. Whether you’re managing a single machine or multiple devices within a network, the process can be completed through the Local Security Policy, Group Policy Editor, or by directly modifying the system registry. This article outlines the steps to enable FIPS mode in Windows, providing the necessary guidance for both individual users and IT administrators.

Using the Local Security Policy

To enable FIPS mode via the Local Security Policy, begin by pressing the “Win + R” keys to open the Run dialog box. Type “secpol.msc” and press Enter to open the Local Security Policy window. From the left-hand panel, navigate to Advanced Audit Policy Configuration and expand the System Cryptography section. In this area, locate the policy titled System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Double-click this policy and select the Enabled option to enforce FIPS compliance. Once you have confirmed the changes, click OK to apply them, and restart the computer to ensure that FIPS mode is activated.

Using Group Policy Editor

For organizations managing multiple devices or systems, the Group Policy Editor is an ideal method to enable FIPS mode across the network. Start by pressing the “Win + R” keys to open the Run dialog, then type “gpedit.msc” and press Enter to launch the Group Policy Editor. Within the editor, navigate to Computer Configuration > Administrative Templates > System > Cryptography. Here, locate the policy labeled System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing and double-click on it to open its settings. Change the policy to Enabled, then click Apply and OK to enforce the new setting. The next step is to restart the system to apply the configuration, ensuring that FIPS-compliant algorithms are now in use.

Modifying the Registry Directly

If you prefer to manually modify the system registry, you can enable FIPS mode by editing specific registry keys. To do this, open the Run dialog by pressing “Win + R”, type “regedit”, and press Enter to launch the Registry Editor. In the Registry Editor, navigate to the following key:
“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa”. If the FIPSAlgorithmPolicy value is not already present, you will need to create a new DWORD (32-bit) Value. Once you have located or created the FIPSAlgorithmPolicy entry, set its value to “1” to enable FIPS mode. If you prefer to disable FIPS mode later, simply change the value to “0”. After making this change, close the Registry Editor and restart the system to apply the new setting.

Verifying FIPS Mode Activation

Once FIPS mode has been enabled, it is essential to verify that the setting has been applied correctly. To do so, open a Command Prompt or PowerShell window and enter the following command:

certutil -getreg fipsmode

If FIPS mode is active, the command will return a message stating that “FIPS mode is enabled.” This is an indication that your system is now using only FIPS-compliant cryptographic algorithms for tasks such as encryption, hashing, and signing. If the command returns a different message, you may need to review the steps taken to ensure that the settings were properly configured.

Considerations When Enabling FIPS Mode

While FIPS mode provides a higher level of security by enforcing the use of approved cryptographic algorithms, it may also affect the functionality of some applications. Certain software, especially older or non-compliant programs, may not support the required FIPS algorithms and could experience issues when the mode is activated. Organizations should carefully assess the compatibility of their applications before enabling FIPS mode across multiple systems. Additionally, enabling FIPS mode may impact system performance in some scenarios due to the additional cryptographic checks. It is important to weigh the benefits of enhanced security against these potential drawbacks when deciding whether to implement FIPS mode.