Is there a compliance expert within Veeam who can answer this (ticket #04157710)? We are having a hard time passing a CJIS compliance audit.
1. Our auditor requires us to point at a specific certificate (or multiple ones) that the Veeam software is using to protect backup data, because CJIS dictates that all encryption must be FIPS validated.
2. We need the exact FIPS certificates. It is very difficult to sort through these on Microsoft’s or NIST’s site without at least knowing the exact crypto module and cipher suite they are using for the agent encryption, and then the certs involved just vary based on the OS version.
3. The minimum that we probably need from Veeam is a statement of the specific Microsoft crypto module and algorithm (cipher suite) they use, so that we can then find the certs based on OS. I would guess the answer will be the Cryptographic Primitives Library (bcryptprimitives.dll and/or ncryptsslp.dll), or possibly the Kernel Mode Cryptographic Primitives Library (cng.sys). From Veeam’s web documentation it sounds like the algorithm is AES-256 in CBC mode? I am just guessing though. We need confirmation.
-
collinp
- Expert
- Posts: 230
- Liked: 13 times
- Joined: Feb 14, 2012 8:56 pm
- Full Name: Collin P
- Contact:
-
Brad.linch
- VeeaMVP
- Posts: 403
- Liked: 151 times
- Joined: Mar 15, 2018 6:25 pm
- Full Name: Brad Linch
- Contact:
Re: Veeam FIPs Compliance Question
https://csrc.nist.gov/projects/cryptogr ... icate/2872
https://csrc.nist.gov/csrc/media/projec ... sp2872.pdf
https://csrc.nist.gov/csrc/media/projec ... sp2872.pdf
Manager, Enterprise SEs
VMCA
http://Linchtips.com
VMCA
http://Linchtips.com
-
Gostev
- Chief Product Officer
- Posts: 31559
- Liked: 6724 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam FIPs Compliance Question
And yes, the documentation you referenced is correct.
-
bmccorkle
- Lurker
- Posts: 1
- Liked: never
- Joined: Jul 20, 2016 3:41 pm
- Full Name: Brandon McCorkle
- Contact:
Re: Veeam FIPs Compliance Question
I don't believe this is the correct answer. You seem to point him to the FIPS certified version of Veeam B&R which uses the Veeam cryptographic module. That's not the same version as what is generally downloaded from the Veeam website. Veeam's own documentation says the website version uses the Microsoft encryption libraries (https://helpcenter.veeam.com/docs/backu ... ml?ver=100). So he would need the Microsoft FIPS certificate for the bcryptprimitives.dll. Unless they paid for the FIPS version of Veeam.
-
HannesK
- Product Manager
- Posts: 14321
- Liked: 2890 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam FIPs Compliance Question
Hello,
the FIPS version does not cost different. It's a separate download for eligible customers. Your local Veeam rep should be able to help out to get it (I assume that organizations that need to use the FIPS version are not Community Edition customers).
UPDATE EDIT: FIPS is in the general settings https://helpcenter.veeam.com/docs/backu ... iance.html - no separate download is needed anymore
Best regards,
Hannes
the FIPS version does not cost different. It's a separate download for eligible customers. Your local Veeam rep should be able to help out to get it (I assume that organizations that need to use the FIPS version are not Community Edition customers).
UPDATE EDIT: FIPS is in the general settings https://helpcenter.veeam.com/docs/backu ... iance.html - no separate download is needed anymore
Best regards,
Hannes
Who is online
Users browsing this forum: No registered users and 94 guests