Host-based backup of VMware vSphere VMs.
Post Reply
collinp
Expert
Posts: 239
Liked: 13 times
Joined: Feb 14, 2012 8:56 pm
Full Name: Collin P
Contact:

Veeam FIPs Compliance Question

Post by collinp »

Is there a compliance expert within Veeam who can answer this (ticket #04157710)? We are having a hard time passing a CJIS compliance audit.

1. Our auditor requires us to point at a specific certificate (or multiple ones) that the Veeam software is using to protect backup data, because CJIS dictates that all encryption must be FIPS validated.

2. We need the exact FIPS certificates. It is very difficult to sort through these on Microsoft’s or NIST’s site without at least knowing the exact crypto module and cipher suite they are using for the agent encryption, and then the certs involved just vary based on the OS version.

3. The minimum that we probably need from Veeam is a statement of the specific Microsoft crypto module and algorithm (cipher suite) they use, so that we can then find the certs based on OS. I would guess the answer will be the Cryptographic Primitives Library (bcryptprimitives.dll and/or ncryptsslp.dll), or possibly the Kernel Mode Cryptographic Primitives Library (cng.sys). From Veeam’s web documentation it sounds like the algorithm is AES-256 in CBC mode? I am just guessing though. We need confirmation.
Brad.linch
VeeaMVP
Posts: 408
Liked: 153 times
Joined: Mar 15, 2018 6:25 pm
Full Name: Brad Linch
Contact:

Re: Veeam FIPs Compliance Question

Post by Brad.linch »

Manager, Enterprise SEs
VMCA
http://Linchtips.com
Gostev
Chief Product Officer
Posts: 31826
Liked: 7317 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam FIPs Compliance Question

Post by Gostev »

And yes, the documentation you referenced is correct.
bmccorkle
Lurker
Posts: 1
Liked: never
Joined: Jul 20, 2016 3:41 pm
Full Name: Brandon McCorkle
Contact:

Re: Veeam FIPs Compliance Question

Post by bmccorkle »

I don't believe this is the correct answer. You seem to point him to the FIPS certified version of Veeam B&R which uses the Veeam cryptographic module. That's not the same version as what is generally downloaded from the Veeam website. Veeam's own documentation says the website version uses the Microsoft encryption libraries (https://helpcenter.veeam.com/docs/backu ... ml?ver=100). So he would need the Microsoft FIPS certificate for the bcryptprimitives.dll. Unless they paid for the FIPS version of Veeam.
HannesK
Product Manager
Posts: 14852
Liked: 3093 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam FIPs Compliance Question

Post by HannesK »

Hello,
the FIPS version does not cost different. It's a separate download for eligible customers. Your local Veeam rep should be able to help out to get it (I assume that organizations that need to use the FIPS version are not Community Edition customers).

UPDATE EDIT: FIPS is in the general settings https://helpcenter.veeam.com/docs/backu ... iance.html - no separate download is needed anymore

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], denispirvulescu, musicwallaby, ybarrap2003 and 107 guests