How to disable FIPS mode in RHEL 6 or RHEL 7

Solution Verified - Updated 9 Aug 2024

Environment

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7

Issue

What are the proper steps for rolling back the FIPS compliance procedure outlined in the How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant article?
How can I disable FIPS mode?

Resolution

Remove the dracut-fips* packages
Run exactly:
```
yum remove dracut-fips\*
```

Backup existing FIPS initramfs
Run exactly:

mv -v /boot/initramfs-$(uname -r).img{,.FIPS-bak}

Run dracut to rebuild the initramfs
Run exactly:
```
dracut
```

Remove the fips=1 argument from the kernel command-line
Run exactly:

grubby --update-kernel=ALL --remove-args=fips=1
[[ -f /etc/default/grub ]] && sed -i 's/ fips=1//' /etc/default/grub

Reboot
Run:
```
reboot
```
Confirm that FIPS is not in enforcing mode after a reboot
The crypto.fips_enabled sysctl should report 0
Run:
```
sysctl crypto.fips_enabled
```

OPTIONAL

Remove the harmless boot=... argument from the kernel command-line
Run exactly:

uuid=$(findmnt -no uuid /boot)
grubby --update-kernel=ALL --remove-args=boot=UUID=${uuid}
[[ -n $uuid && -f /etc/default/grub ]] && sed -i "s/ boot=UUID=${uuid}//" /etc/default/grub

Re-enable the unnecessary prelink service which will get executed by next cron.daily
Run exactly:
```
rpm -q prelink && sed -i '/^PRELINKING/s,no,yes,' /etc/sysconfig/prelink
```

SBR

Product(s)

Red Hat Enterprise Linux

Components

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.