Full Disk Encryption and FIPS

Question

I've been tasked to find out what's required to use BitLocker (or any other FDE method/mechanism) in Windows 10 in "FIPS mode". This is outside the realm of my expertise (and I've advised the client to this fact), but I've endeavored to try to figure it out nonetheless. I've read a lot of information over the last several days but am at a loss to find a definitive answer. I've seen references to operating BitLocker in "FIPS mode" without finding any concrete information (that I could understand) on what that actually means. My question is this:

Is it required to enable the security policy setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing in order for BitLocker (or any other FDE method/mechanism) to operate in "FIPS mode"?

Answer 1

FIPS is a security standard; it stands for Federal Information Processing Standard.

If you enable a security policy setting that is FIPS-compliant you may have a lot of restrictions:

• BitLocker will not allow creation or use of a recovery password The standard forbids this.

• BitLocker will only release keys to be stored on USB flash drives

• BitLocker Drive Encryption is currently supported/restricted to specific versions of Windows.

• BitLocker will only offer FIPS approved methods of validation

• BitLocker will only operate in its FIPS-mode once volume conversion (encryption) has completed and the volume is fully encrypted.

  Practically, if you want to be FIPS-compliant you have to have encrypted the volume, then get rid of the recovery password. You will then have to use only one of the 2 protectors which are FIPS compliant: a data recovery agent or a recovery key for the volume. Additionally, in the group policy for FIPS, you can disable the possibility of creation of recovery passwords.

If you do the above, you're FIPS compliant and you should enable "Use FIPS compliant algorithms for encryption, hashing, and signing". If you don't need to be FIPS compliant, you can use Bitlocker just fine and you don't need to restrict anything related.

The policy itself is not a requirement because you could correctly configure a FIPS compliant system without it being active, given you follow the FIPS compliance guidelines. But without that policy you could by mistake (and with high chance) configure something that does not comply with FIPS. The policy will prevent you to do that and will filter your choices (regarding algorithms, encryption, etc) so only the compliant ones will be available/displayed. That's the actual purpose of it.

Answer 2

If you are looking to have a FIPS compliant system, and it seems like you are, then yes you must enable this setting. The link that Bill provided in his comment to Overmind's answer confirms this. Overmind's information is incorrect since you are asking about Windows 10, it seems he is addressing Windows 7.

"Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode....FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm." - https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-fipssupport

Regarding Windows 7 "A BitLocker recovery password has 48 digits. This password is used in a key derivation algorithm that is not FIPS-compliant." - https://support.microsoft.com/en-us/help/947249/the-recovery-password-for-windows-bitlocker-is-not-available-when-fips