Proxmox in a US Federal environment?

[captain118]

I know of several DoD contractors using it in their closed areas with DCSA approval. The fun part is getting the OS and Hypervisor configured to be as close to stig compliant as possible. This requires a good bit of work remapping the controls an settings to whats needed.

 

[AllanM]

FIPS may only be required in many of these US gov/contractor applications if encryption is defined as the only mechanism protecting confidentiality of the data. If the server cluster is appropriately physically protected and separate VLANS are used to isolate ceph/management/ipmi/corosync from each other and from user facing workloads, then using encryption on ceph or zfs may count towards a defense-in-depth, ie- going above and beyond the requirement, even if the encryption isn't being performed by a fips validated module.

Having a FIPS validated module involved to protect the confidentiality of the data as it flies over networks outside of that controlled server room is important for these applications. This requirement could be met by configuring the underlying workload hosted within proxmox to use a FIPS validated module, for example, file shares on a Windows Server, SMB can be configured to use an encryption algorithm that is part of the fips framework, and the underlying modules in the windows server/desktop systems are already fips validated (for applicable encryption modes). One could go a step further and enforce fips mode on the windows server/computers, but this may break other services and may not be strictly required to demonstrate compliance.

 

[captain118]

FIPS is all about the processing and storing of data. The only way we were able to get around Proxmox not having FIPS validation is by using native encryption in the VMs. So for any windows VMs running on Proxmox they are Bitlocker encrypted, for any linux VMs they are lux encrypted. If Proxmox was FIPS validated like vmware this wouldnt be a concern. Its still ok as long as you have it Ok'd by the right people. DCSA auditors approved using the native OS encryption since proxmox wasnt FIPS validated so just make sure you go through the processes to make sure all the right people have approved it.

 

[MarkusKo]

I you are concerend about encryption you can use your server hardware for that. As an example, on HPE Servers with SED Drives you can encrypt all your drives within the BIOS (Direct Attached NVMe) or on the RAID Controller setup. They are unlocked at boot, no OS involved.

If you use HPE NS204i boot controller there is currently only one model that supports SED encryption and you have to enable the encryption via REDFISH api, not via BIOS.

A possible downside is (on Direct Attached NVMe) you can't export the encryption key from BIOS / TPM, if the drive is moved to another server you have to reinitialize it, you won't have access to the data on the drive.

 

[captain118]

I believe ProxMox is already approved for gov use.
With that being said, the challenge is still adhering to the compliance. What this really boils down to is encryption support. Specifically, encryption support at the FIPS 140-3 level supported by the vendor for both data-at-rest and data-in-transit. So if Proxmox (or Debian) can provide the appropriate cyptographic libraries and the underlying volumes can be encrypted, and also network traffic encrypted, and also to to meet all of the other requirements than I don't think there would be issue with using the product. STIG the system as if it were vanilla Debian. I have personally STIG'ed Ubuntu to meet compliance; which is just another variant of Debian. Th most challenging part of the process was getting FIPS140-2 working. It required a license from Canonical and then to register that license with their online servers in order to gain the necessary libraries. I would think that getting enterprise support through ProxMox would be the best way to get this working... and with the issues VMWARE is having with the Broadcom takeover, it would behoove ProxMox to step in with that support at the enterprise level.

Neither proxmox or Debian have are fips certified like RHEL or vSphere so you do have to make certain accomodations to get DCSA approval for use. But as long as you do those it is possible to get it approved.