Docs Menu
Docs Home
/
MongoDB Manual
/ /

Configure MongoDB for FIPS

On this page

  • Overview
  • Platform Support
  • Configuring FIPS
  • Additional Considerations

The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.

A full description of FIPS and TLS/SSL is beyond the scope of this document. This tutorial assumes prior knowledge of FIPS and TLS/SSL.

Important

MongoDB and FIPS

FIPS is property of the encryption system and not the access control system. However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.

MongoDB's FIPS support covers the way that MongoDB uses SSL/TLS libraries for network encryption, SCRAM authentication, and x.509 authentication. If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.

Note

MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.

FIPS mode is only available with MongoDB Enterprise edition. See Install MongoDB Enterprise to download and install MongoDB Enterprise.

FIPS mode is supported on the following platforms:

Platform
TLS/SSL library
Linux
OpenSSL
Windows
Secure Channel (SChannel)
macOS
Secure Transport

Select the tab below for your platform:

Starting in version 4.2, MongoDB removes the --sslFIPSMode option for the following programs:

The programs will use FIPS compliant connections to mongod / mongos if the mongod / mongos instances are configured to use FIPS mode.

If you use SCRAM-SHA-1:

The following programs no longer support the --sslFIPSMode option:

If you configure mongod and mongos to use FIPS mode, mongod and mongos use FIPS-compliant connections.

The default mongosh distribution:

  • Contains OpenSSL 3.

  • Uses FIPS-compliant connections to mongod and mongos if you configure mongod and mongos to use FIPS mode.

MongoDB also provides a MongoDB Shell distribution that can use:

  • OpenSSL 1.1 and OpenSSL 3 installed on your server.

  • --tlsFIPSMode option, which enables the mongosh FIPS mode.

Tip

See also:

← Upgrade a Cluster to Use TLS/SSL