[Koha] FIPS Compliance

David Liddle david at liddles.net
Wed Feb 21 23:45:52 NZDT 2024 

Hello Rudy,

You might need to explain the context of your question in order to
receive a satisfactory answer. And I'm going to preface what I write
next with the statement that I am NOT a security professional, and you
should consult with system administrators who are experienced in FIPS
implementation before subjecting your library's data to advanced
cryptographic voodoo. Encryption is no trivial matter, and incorrect
implementation can render data eternally inaccessible.

FIPS compliance refers most frequently to hardware modules that handle
cryptographic functions. There are also software modules that perform
these functions. Some of these are included in the Linux distributions
that can run Koha and will play a role in certain Koha processes. It
looks to me that FIPS compliance will center on the configuration of
the Linux kernel and OpenSSL, since they will do the bulk of the work
in ensuring that the main components of Koha do not employ
non-compliant cryptographic methods:
- operating system
- database server (MySQL or MariaDB)
- web server (Apache2)
- web languages (Perl, Python)

I doubt that any Koha developer will tell you that the modules that
make up Koha were created with FIPS in mind. The security of your Koha
instances will be dependent in large part on the security of the
underlying system. Again, you should consult with system
administrators who have experience implementing FIPS. It would be wise
to thoroughly TEST a Koha instance on a system running in FIPS mode.
If you achieve success, I think that we'd all love to hear back from
you!

Regards,

David Liddle
System Administrator
david.liddle at wycliff.de (but not for this list)

Wycliff e.V., https://wycliff.de
Seminar für Sprache und Kultur, https://spracheundkultur.org
Internationales Tagungszentrum Karimu, https://karimu.de


On Tue, Feb 20, 2024 at 7:45 PM Rudy Hinojosa
<rudy.hinojosa at lightwavelibrary.com> wrote:
>
> Is Koha FIPS compliant?
>
> Rudy E. Hinojosa
> CEO/President,
> Lightwave Library
>
> Toll Free: 888-503-1727 (tel:TollFree:888-503-1727) lightwavelibrary.com (https://lightwavelibrary.com)
>
> rudy.hinojosa at lightwavelibrary.com (mailto:rudy.hinojosa at lightwavelibrary.com)
>
> P.O. Box 484, Liberty Hill, Texas 78642 (https://maps.google.com/?q=P.O.%20Box%20484,%20Liberty%20Hill,%20Texas%2078642)
>
> Life After Solutions LLC DBA: Lightwave Library
>
> _______________________________________________
>
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha

More information about the Koha mailing list