Secure Splunk Enterprise with FIPS

The Federal Information Processing Standards (FIPS) are a collection of standards that govern the requirements for security and interoperability on computer systems to meet the regulatory guidelines of the agencies of the United States federal government. The National Institute of Standards and Technology (NIST) developed FIPS to provide, among other things, the specifications for the distribution of some cryptographic algorithms for those computer systems. FIPS Publication Nos. 140-2 and 140-3 provide specific guidance on the use of cryptographic modules.

Splunk supports both FIPS publications in the context of providing FIPS functionality for Splunk Enterprise. Splunk Enterprise supports the use of FIPS mode to meet FIPS guidelines, and includes modules that comply with FIPS. Enable FIPS mode on Splunk Enterprise if it is a regulatory requirement for your environment, for example, if you are a contractor of the United States government and have a requirement to comply with FIPS.

For additional information on Splunk support for FIPS compliance, visit the Splunk Compliance page. For best practices on maintaining compliance with FIPS, see Best practice for maintaining compliance with FIPS and Common Criteria in your Splunk Enterprise environment.

About Splunk Enterprise and the FIPS module

Splunk Enterprise and the universal forwarder use two versions of an embedded cryptographic FIPS module. These module versions are available to activate for the Linux and Windows operating systems.

The two versions of the cryptographic modules are:
Module NumberFIPS support levelNotes
5044FIPS 140-2Interim certificate, expires 21-Sep-2026
4781FIPS 140-3Interim certificate to be replaced, expires 26-Aug-2026
When you turn on FIPS mode for Splunk Enterprise, the software uses one of these modules to ensure that cryptographic functions operate to FIPS standards. It turns off encryption algorithms that do not comply with those standards.

Currently, the FIPS 140-2 module is supported for FIPS compliance, but support for that module will end in September of 2026. The FIPS 140-3 module is available now for support after this date. By default, Splunk Enterprise uses the FIPS 140-2 module, but you can change this module to FIPS 140-3 when you turn on FIPS for the instance on which Splunk Enterprise runs. You can also switch between modes at any time.

Prerequisites for using FIPS on Splunk Enterprise

Following are the requirements for using Splunk Enterprise in FIPS mode. Read carefully and ensure you meet them all before attempting to turn on FIPS mode on the Splunk Enterprise instance.

  • Splunk Enterprise must run on a computer that uses the 64-bit Intel x86 processing architecture. There is no support for other architectures
  • The operating system that runs on the computer must support FIPS, and must itself operate in FIPS mode. Currently, the following operating systems are available for use with FIPS:
    • Windows 10 x86 (64-bit)
    • Windows 11 x86 (64-bit)
    • Windows Server 2019 x86 (64-bit)
    • Windows Server 2022 x86 (64-bit)
    • Ubuntu 16.04 x86 (64-bit)
    • Ubuntu 18.04 x86 (64-bit)
    • Ubuntu 20.04 x86 (64-bit)
    • Ubuntu 22.04 x86 (64-bit)
    • Red Hat Enterprise Linux 8 x86 (64-bit)
    • Red Hat Enterprise Linux 9 x86 (64-bit)
    • CentOS 8 x86 (64-bit)
  • For your Splunk Enterprise deployment to be fully FIPS compliant, all nodes in the deployment must use transport layer security (TLS) version 1.2 or higher when they connect to other nodes in the deployment. See "Configure TLS version 1.2 for FIPS" later in this topic for additional information and high-level procedures
  • Any Splunk apps that you want to run on an instance with FIPS mode turned on must be certified to run in FIPS mode and cannot have dependencies on unsupported algorithms and ciphers like Message Digest 5 (MD5) and Rivest Cipher 4 (RC4)

Security considerations for enabling FIPS mode

When you enable FIPS mode on Splunk Enterprise, you must understand the following considerations and caveats:

  • Do not consider turning on FIPS mode on Splunk Enterprise a security enhancement on its own. FIPS mode is one of several strategies you can employ to improve security for Splunk software.
  • FIPS mode works only if the operating system on which you run Splunk Enterprise also runs in FIPS mode. See the documentation for your operating system for instructions on how to activate FIPS mode for it.
  • You must turn on FIPS mode before you start Splunk Enterprise the first time. FIPS mode is active only when you enable it on a machine that runs a FIPS-compliant operating system kernel that is itself in FIPS mode. If you run Splunk Enterprise on a Linux machine that runs a kernel that is in FIPS mode, Splunk Enterprise turns on FIPS mode automatically.
  • Turning on FIPS mode can potentially reduce overall Splunk Enterprise performance.
  • The FIPS module turns off the use of some cryptographic algorithms in the instance of Python that Splunk software uses to run apps such as MD5 or RC4.
  • There are two FIPS modes that are available: FIPS 140-2 and FIPS 140-3. You can set these modes by editing a configuration file to tell Splunk Enterprise in which mode you want to operate.

Configure TLS version 1.2 for FIPS

Before you turn on and use FIPS for your Splunk Enterprise deployment, you must configure every node in the deployment to use TLS version 1.2 or higher for encrypted network connections between the nodes.

Several Splunk configuration (.conf) files support the configuration of network connections between Splunk Enterprise and universal forwarder instances using TLS. The configuration file that you use depends on either the type of instances you want to connect, the individual services that run on those instances, or a combination of both. For additional details including examples on configuring the network encryption protocols, see Configure TLS protocol version support for secure connections between Splunk platform instances.

In any case, both sides of the connection must use TLS version 1.2 for the deployment to be in compliance with FIPS. Older protocol versions, such as SSLv3, TLS 1.0, and TLS 1.1, are not acceptable for FIPS-compliant operations.

Following is a high-level procedure on configuring network protocol encryption on individual Splunk platform instances:

  1. On the instance that is to receive the connection, open the appropriate configuration file for the type of connection you want to secure with TLS 1.2 for editing.
  2. Add or change the appropriate sslVersions or sslVersionsforClient lines under the appropriate stanza in the configuration file. At a minimum, the line must contain tls1.2 as one of the values.
  3. Save the configuration file and close it.
  4. Restart or reload the Splunk configuration on the instance.
  5. Repeat these steps on the instance that is making the connection.

You might want to use a deployment server to deliver configuration settings to your Splunk platform instances.

Turn on and manage FIPS mode in Splunk Enterprise

Always turn on FIPS mode when you first install Splunk software. If you install the software without FIPS mode turned on, you cannot turn it on during an upgrade later, and must either reinstall, or install a new version of the software.

  1. Confirm that the operating system on the machine that will run the Splunk Enterprise instance runs in FIPS mode. Review the documentation for your operating system for instructions on how to turn FIPS mode on.
  2. Install Splunk Enterprise onto the machine, if you have not already.
  3. Before you start Splunk Enterprise for the first time, use a text editor to edit the $SPLUNK_HOME/etc/splunk-launch.conf configuration file.
  4. Add the following line to the file:
    SPLUNK_FIPS=1
  5. (Optional) Specify which FIPS mode in which you want to operate. There are two modes: the default FIPS 140-2 and FIPS 140-3.To operate in FIPS 140-2 mode, either do nothing or add the following line to the file:
    SPLUNK_FIPS_MODE=140-2

    To operate in FIPS 140-3 mode, add the following line:

    SPLUNK_FIPS_MODE=140-3
    Note: Do not add both lines to the file. If you do, the instance operates in FIPS 140-2 mode.
  6. Save the splunk-launch.conf file and close it.
  7. Start Splunk Enterprise. The startup process turns on FIPS mode during the installation.
Note: When you turn on FIPS mode, you cannot turn it off without reinstalling the software.

Change FIPS modes after installing the software

After you have installed and activated FIPS, you can switch between the FIPS 140-2 and FIPS 140-3 modes at any time with a change to the configuration file and a restart of Splunk Enterprise.

  1. Use a text editor to edit the $SPLUNK_HOME/etc/splunk-launch.conf configuration file.
  2. Specify which FIPS mode in which you want to operate by changing the SPLUNK_FIPS_MODE line in the file to use the FIPS version you want.To operate in FIPS 140-2 mode, change the line in the file to:
    SPLUNK_FIPS_MODE=140-2

    To operate in FIPS 140-3 mode, change the line in the file to:

    SPLUNK_FIPS_MODE=140-3
  3. Save the splunk-launch.conf file and close it.
  4. Restart Splunk Enterprise. Splunk Enterprise begins using the FIPS module that you specified.
Note:

Do not put multiple SPLUNK_FIPS_MODE lines in the file.

Use indexes with FIPS mode turned on

A Splunk Enterprise instance that operates in FIPS mode neither alters the data it has indexed nor changes how it handles that data in any way. You can copy indexes between FIPS and non-FIPS indexers.

Confirm FIPS mode status

You can use the Splunk CLI, a REST endpoint, or a Splunk search to determine whether or not the Splunk instance is in FIPS mode.

The following CLI command returns FIPS mode status: 

splunk show fips-mode -auth <username>:<password>
  • If FIPS mode is on, the CLI command returns FIPS mode enabled.
  • Otherwise, it returns FIPS mode disabled.

The following REST call returns FIPS mode status: 

curl -s -k -u admin:changeme https://localhost:8089/services/server/info | grep fips_mode

If FIPS mode is on, this call returns the following: 

<s:key name="fips_mode">1</s:key>

The following Splunk search returns FIPS mode status: 

"| rest splunk_server=local /services/server/info | fields fips_mode"

If FIPS mode is on, the search returns the following: 

fips_mode
---------
        1

Troubleshoot Splunk Enterprise in FIPS mode

  • If your Splunk Enterprise instance is in FIPS mode and the Rivest-Shamir-Adelman (RSA) encrypted private keys that you usually use do not work, those keys might be incompatible with FIPS. To mitigate this issue, you can convert your Privacy Enhanced Mail (PEM) private key to the Public Key Cryptography Standards #8 (PKCS 8) format to make them compatible.
  • After you install Splunk software without FIPS mode turned on, you cannot later turn FIPS mode on, even during an upgrade. If you require FIPS compliance, confirm that your initial Splunk Enterprise installation is FIPS-enabled. To change to a version running FIPS mode, reinstall Splunk Enterprise and use the procedure in this topic to enable FIPS.
  • If you have problems running a Splunk app, confirm that it is certified to run in FIPS mode and does not have dependencies on cryptographic algorithms that FIPS turns off, such as MD5 and RC4.