5

One can configure Sql Server 2008 to run in FIPS 140-2 compliant mode, in the same manner as running Bitlocker in FIPS 140-2 compliant mode. Which is to activate FIPS 140-2 compliant mode in the Local Group Policy Editor dialog.

From Instructions for using SQL Server 2008 in FIPS 140-2-compliant mode:

...you must run SQL Server 2008 on an operating system that uses a FIPS 140-2-validated Cryptographic Service Provider or that provides a cryptographic module that has been validated.

What 'Cryptographic module' does SQL Server 2008 use by default when FIPS 140-2 compliance mode is activated in the group policy editor on a Windows Server 2008 machine?

Mark Rogers
  • 508
  • 3
  • 18

2 Answers2

2

You can find all official and validated modules on the website of nist.gov. SQL server could make use NetLib® Encryptionizer® DE/FIPS (number 1532).

All though it will probably make use of the standard Server 2008 libraries encryption which provide AES encryption. (The standard encryption in SQL Server 2008). I believe that dssenh.dll (Cert 1338) and rsaenh.dll (Cert 1337) have been FIPS 140-2 validated.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Sure, I've seen that one, but my question is about what will be used by default when one enables FIPS 140-2 compliance, will it default to bitlocker? – Mark Rogers Jan 23 '12 at 23:38
  • Updated my answer. :) – Lucas Kauffman Jan 24 '12 at 08:31
  • Sql Server 2008 doesn't have a FIPS 140-2 certifaction. What component of this setup is certified? Only by running a certified 'cryptographic module' is on truly FIPS 140-2 compliant. AES are approved algorithms but they are only a part of FIPS 140-2 requirements. – Mark Rogers Jan 24 '12 at 13:57
  • I'm not talking about SQL server I am talking about the libraries integrated in the certified cryptographic libraries in Windows Server 2008. – Lucas Kauffman Jan 24 '12 at 18:15
  • what is the certificate number on those, so that I can look it up? I think your probably right, but I'm not sure which 'certified cryptographic libraries' that you are referring to, and that's what the question is ultimately trying to get at. – Mark Rogers Jan 24 '12 at 18:36
  • number 1336 FILLER – Lucas Kauffman Jan 24 '12 at 19:45
  • 1
    Cert 1336 is the Crypto API primitives library which is not a Cryptographic Service Provider (CSP). However, it does, I believe, form the basis for certs 1337 and 1338 which are CSPs. – logicalscope Jan 24 '12 at 19:52
  • Indeed, happy :p ? – Lucas Kauffman Jan 24 '12 at 20:14
2

I believe that SQL Server will make use of the default cryptographic service providers within Windows Server 2008 r2. Windows comes with several default CSPs which you should be able to find in the registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider

It is my understanding that dssenh.dll (Cert 1338) and rsaenh.dll (Cert 1337) have been FIPS 140-2 validated.

logicalscope
  • 6,344
  • 3
  • 25
  • 38