Skip to main content
Version: 3.17 (latest)


Big picture

Run Calico Enterprise in FIPS 140-2 compliant mode.


When running in FIPS compliant mode, Calico Enterprise uses FIPS-approved cryptographic algorithms and NIST-validated cryptographic modules.


The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by government agencies and government contractors. Calico Enterprise FIPS mode is enabled during installation by:

Before you begin


  • A Kubernetes distribution and cluster that run in FIPS mode
  • The hosts must run Linux x86_64 distributions
  • Calico Enterprise contains programs that run directly on the host that use dynamic linking of c libraries. For this reason, it is a requirement for host systems to contain the following libraries:
  • An Elasticsearch Platinum license for Elasticsearch to run in FIPS mode


  • The following features are disabled and are not allowed to be used:
    • Kibana
    • Anomaly Detection
    • Application Layer API
    • BGP password
    • WireGuard
    • Curator: Curator is a job that deletes the oldest Elasticsearch data when your cluster is approaching full capacity.
  • Switching FIPS mode off and then on again is not supported as this may break hashes and other cryptographic settings.

How To

To install Calico Enterprise in FIPS mode follow these steps.

  1. Follow the installation steps for your platform.

    • In the step for installing custom resources, edit custom-resources.yaml and enable FIPS mode in the installation spec.
    kind: Installation
    name: default
    fipsMode: Enabled
  2. Upgrade to the required Elasticsearch Platinum license to run FIPS mode.

  • Get the password for the elastic privileged user:

    export PASSWORD=$(kubectl -n tigera-elasticsearch get secret tigera-secure-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')
  • Port-forward Elasticsearch so you can send requests.

    kubectl port-forward -n tigera-elasticsearch svc/tigera-secure-es-http 9200
  • Apply an Elasticsearch Platinum license to prevent the trial from expiring. See the Elasticsearch documentation for more details.

    curl -X PUT -u "elastic:$PASSWORD" "https://localhost:9200/_license?pretty" -H 'Content-Type: application/json' -d'  {"licenses": [ <your license> ]}'

As soon as the Platinum license is applied, FIPS mode is fully operational.