FIPS 140-2 Compliance

SQL Server 2008 R2 can be configured to be compliant with FIPS (Federal Information Processing Standard) 140-2. FIPS 140-2 is a statement of the "Security Requirements for Cryptographic Modules." It specifies which encryption algorithms and hashing algorithms can be used, and how encryption keys are to be generated and managed. To configure SQL Server 2008 R2 to be compliant with FIPS 140-2, it must be running on a version of Microsoft Windows that is FIPS 140-2 certified or that provides a certified cryptographic module.

• What applications can be FIPS 140-2-compliant?

  All applications that perform encryption or hashing and that run on a validated version of a Microsoft Windows Cryptographic Service Provider can be compliant if they use only the validated instances of the approved algorithms. These applications must also comply with key generation and key management requirements either by using a Windows key function or by meeting the key generation and key management requirements in the application.

• Does turning the FIPS bit on mean all encryption will use only FIPS 140-2 validated algorithms?

  In some cases, noncompliant algorithms or processes are allowed in a FIPS 140-2-compliant application. For example, data may be encrypted by using a noncompliant algorithm if, in this encrypted form, the data remains within the application, that is, the data is not exported in this form, or if the data is further encrypted (wrapped) using a FIPS-compliant algorithm. One example is where a non-compliant hashing algorithm is used to identify data records, but not for integrity hashing.

For information about configuring SQL Server 2008 R2 to be compliant with FIPS 140-2, see Knowledge Base article 955720, Instructions for using SQL Server 2008 in FIPS 140-2-compliant mode.