System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing - Windows 10 (2024)

  • Article

Applies to

  • Windows11
  • Windows10

This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting.

Reference

The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of theUnited States federal government.

TLS/SSL

This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS_RSA_WITH_3DES_EDE_CBC_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only theTriple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.

Encrypting File System (EFS)

For the EFS service, this policy setting supports the 3DES and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. To encrypt file data, by default EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003, Windows Vista, and later, and it uses a DESX algorithm in Windows XP.

Remote Desktop Services (RDS)

If you're using Remote Desktop Services, this policy setting should only be enabled if the 3DES encryption algorithm is supported.

BitLocker

For BitLocker, this policy setting needs to be enabled before any encryption key is generated.Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead.Additionally, if a data drive is password-protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only.

Possible values

  • Enabled
  • Disabled
  • Not defined

Best practices

We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode.

For a complete list of Microsoft-recommended configuration settings, see Windows security baselines. For more information about Windows and FIPS 140-2, see FIPS 140 Validation.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Default values

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

Server type or GPODefault value
Default Domain PolicyNot defined
Default Domain Controller PolicyNot defined
Stand-Alone Server Default SettingsDisabled
DC Effective Default SettingsDisabled
Member Server Effective Default SettingsDisabled
Client Computer Effective Default SettingsDisabled

Operating system version differences

When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the WindowsVista and the Windows Server2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The WindowsXP implementation uses DESX.

When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to the following versions:

Operating systemsApplicability
Windows 10, Windows 8.1, and Windows Server 2012 R2When created on these operating systems, the recovery password can't be used on other systems listed in this table.
Windows Server 2012 and Windows 8When created on these operating systems, the recovery key can be used on other systems listed in this table as well.
Windows Server2008R2 and Windows7When created on these operating systems, the recovery key can be used on other systems listed in this table as well.
Windows Server2008 and WindowsVistaWhen created on these operating systems, the recovery key can be used on other systems listed in this table as well.

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.

Group Policy

Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to Not Configured, local settings will apply.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

You can enable this policy setting to ensure that the device uses the most powerful algorithms that are available for digital encryption, hashing, and signing. Use of these algorithms minimize the risk of compromise of digitally encrypted or signed data by an unauthorized user.

Countermeasure

Enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.

Potential impact

Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tooluses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms.

  • Security Options
System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing - Windows 10 (2024)

FAQs

How do I enable System cryptography use FIPS compliant algorithms for encryption hashing and signing? ›

Setting the FIPS Configuration Property

To use the group policy setting, open the Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options , and enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.

How do I encrypt FIPS in Windows 10? ›

To open the Group Policy editor, press Start, press Run, type gpedit. msc, and press Enter. In the Details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing. Select Enabled, and press OK or Apply.

What is the FIPS compliant encryption algorithm? ›

AES encryption is compliant with FIPS 140-2. It's a symmetric encryption algorithm that uses cryptographic key lengths of 128, 192, and 256 bits to encrypt and decrypt a module's sensitive information. AES algorithms are notoriously difficult to crack, with longer key lengths offering additional protection.

How do I turn off FIPS mode in Windows 10? ›

Locate the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” setting in the right pane and double-click it. 5. Set the setting to “Disabled” and click “o*k.” 6.

How do I disable FIPS compliant algorithms? ›

In Security Settings, expand Local Policies, and then click Security Options. Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Disabled. This change takes effect after the local security policy is re-applied.

How do I make my computer FIPS compliant? ›

In Local Group Policy Editor, select Computer Configuration > Windows Settings > Security settings > Local Policies > Security Options. Open System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

How to check if FIPS is enabled in Windows? ›

Overview. Open up your registry editor and navigate to HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled. If the Enabled value is 0 then FIPS is not enabled. If the Enabled value is 1 then FIPS is enabled.

How do I enable encryption in Windows 10? ›

To turn on Windows device encryption

For more info, see Create a local or administrator account in Windows 10. Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption doesn't appear, it isn't available. If device encryption is turned off, select Turn on.

How to bypass FIPS mode? ›

About exiting FIPS mode

For the device to exit FIPS mode, you can use one of the following reboot methods: Automatic reboot—The system automatically creates a default non-FIPS configuration file named non-fips-startup. cfg, specifies the file as the startup configuration file, and reboots to enter non-FIPS mode.

What is FIPS in Windows? ›

FIPS stands for “Federal Information Processing Standards.” It is a set of government standards that define how certain things are used in the government—for example, encryption algorithms. This setting in not available on the Home version of Microsoft Windows.

What is FIPS cryptography mode? ›

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within U.S. non-military government agencies and by U.S. government contractors and vendors who work with the agencies.

How to get FIPS compliance? ›

For a security solution to be deemed FIPS certified, its entire product must meet the requirements of the FIPS (Federal Information Processing Information Standards) and adhere to its standards pertaining document processing, encryption and dissemination.

How do I enable FIPS encryption? ›

Windows
  1. On the Windows Start menu, open Local Security Policy.
  2. Expand the Local Policies options and double-click Security Options.
  3. Search for the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing option and double-click it to open the settings.
  4. Select Enabled.

Why we're not recommending FIPS mode? ›

The non-FIPS versions have been available much longer (and so are used more widely) and are usually much faster. If FIPS mode is enabled, the non-FIPS algorithms throw an error and the application fails. So basically, if FIPS mode is enabled, most applications using cryptographic functionality fail.

How do I enable FIPS mode? ›

In the Local Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Find the setting named "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" and double-click on it.

How do I enable FIPS mode in SSH? ›

To enable FIPS mode on the client side, set the FIPSMODE keyword to yes and set the CiphersSource, MACsSource, KexAlgorithmsSource keywords to any or ICSF in the z/OS-specific OpenSSH client configuration files, zos_ssh_config or zos_user_ssh_config.

How do I enable FIPS transfer mode? ›

To activate FIPS Mode:
  1. From the Tools menu, select Options. The Program Options dialog opens.
  2. In the left pane, select FIPS.
  3. Select the Operate cryptographic module in FIPS 140-2 mode option. ...
  4. Restart (close, then re-open) the WS_FTP application.

How do I enable FIPS compliance BitLocker? ›

See if BitLocker is using FIPS encryption

Open the 'Local Security Policy' app (Start Menu → Local Security Policy) Open Local Policies >> Security Options. Double-click "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

Top Articles
Latest Posts
Article information

Author: Golda Nolan II

Last Updated:

Views: 6498

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.