Updated v4.2

Enabling FIPS mode

If you're running LiquidFiles v4.2 (or later) and have an Ubuntu Pro license an attached to your LiquidFiles system (Admin → System → Pro), you can enable Ubuntu Pro FIPS mode. LiquidFiles v4.2 is using Ubuntu 22.04LTS and enabling FIPS mode will install packages that has been certified against FIPS 140-3.

When is FIPS mode required?

Enabling FIPS mode is typically required when your organisation needs to comply with regulations that mandate the use of FIPS 140-validated cryptographic modules. Common examples include:

CMMC Level 2 and Level 3 — The Cybersecurity Maturity Model Certification requires FIPS-validated cryptography under NIST SP 800-171 control 3.13.10 ("Employ FIPS-validated cryptography when used to protect the confidentiality of CUI"). If your organisation handles Controlled Unclassified Information (CUI) and is pursuing CMMC certification, enabling FIPS mode on your LiquidFiles appliance satisfies this control.
FedRAMP — Federal Risk and Authorization Management Program requires FIPS 140-validated encryption for cloud services used by US federal agencies.
Other US federal and DoD requirements — Any environment subject to FISMA, DFARS, or other federal mandates that reference FIPS 140 compliance.

If you are not subject to any of the above regulations, enabling FIPS mode is optional. LiquidFiles uses strong, industry-standard encryption in all configurations regardless of whether FIPS mode is enabled.

Considerations

One-way operation

First consideration is that enabling this is a one-way operation. It's not possible to disabling FIPS mode so if you wish to not use it anymore, you will need to install a new LiquidFiles system and migrate to this system that doesn't have FIPS mode enabled.

ClamAV

The second consideration is that for full LiquidFiles functionality, it is required to run ClamAV v1.5 beta. ClamAV before v1.5 beta uses MD5 to validate that antivirus signatures have been downloaded successfully and when FIPS mode has been enabled, anything that uses MD5 will simply not be executed so AV signature validation will fail.

If you don't wish to use a beta version of ClamAV, your only other option is to disable AV scanning in Admin → Configuration → Settings. You can possibly install another (FIPS compatible) AV engine. If you do, it needs to have a command line interface that can scan files ad-hoc from a script, and you can use ActionScripts to integrate another AV scanner with LiquidFiles. Please note that Microsoft Defender doesn't work because it doesn't have a command line interface that can scan files from a script.

Can I enable FIPS on earlier versions of LiquidFiles?

No, there was auxiliary libraries in LiquidFiles v4.1 and earlier that used MD5 for non-security related functions (a faux randomizer for instance) and enabling FIPS mode on an earlier system will break the system to the point that you will need to reinstall it. These libraries have been replaced or updated in LiquidFiles v4.2 to make it fully FIPS compliant.