FIPS 140-2
Up to Dispersed Storage Users
Posted by
Is it possible to deploy Cleversafe (either the opensource or commercial versions) utilizing FIPS 140-2 validated encryption? If not, is this on the road map?
Tim,
FIPS 104-2 validation applies to encryption libraries, such as OpenSSL, JCE, JSSE, etc. Some Java implementatations of JCE and JSSE have been FIPS 140-2 certified, and since Cleversafe uses JCE and JSSE libraries directly, then using a FIPS 140-2 certified one would imply that the cryptographic operations done by Cleversafe software is running on certified code, however FIPS 140-2 certification is not something that Cleversafe could apply for, as the certification is only for cryptographic modules. Additionally, even the slightest change to such a module means the certification does not apply to future versions.
I hope this answer is helpful to you. Please let me know if you have further questions or concerns.
Jason
Jason,
It does help. I was unsure if Cleversafe used the standard JCE and JSSE libraries. So if I roll my own implementation than I can use a JCE and JSSE of my choice which are FIPS validated. I guess really the question remaining is if the commercial appliance implementation uses a JCE and JSSE implementation which is FIPS 140-2 validated.
The Cleversafe technology looks like an interesting and potentially useful solution; however, unless a commercially supported version with a FIPS 140-2 JCE and JSSE is available the odds of it getting deployed beyond my test machine and into the organizations I support are greatly reduced.
I know there are other alternatives involving encrypting the data either at the file, file system, or block level which could be used in conjunction with Cleversafe; however, if this is not done at the "storage device" level, we would most likely have to deploy a variety of solutions depending of the differing platforms we support and how they would eventually be accessing the data (block, NFS/CIFS, etc).
Tim,
If you send an email to sales@cleversafe.com we can get you more detailed product roadmap information regarding FIPS 140-2 certified encryption modules in the commercial product.
Thanks
Alan
