PG18 Hacktober: 31 Days of New Features – FIPS mode validation

Welcome back to the Day5 of PG18 Hacktoher and we’re amazed at the security features that were added in PG18, no wonder PostgreSQL is The World’s Most Advanced Open Source Relational Database and one of the most vibrant FOSS communities.

Here’s our 3rd blog on the Security features focussing on FIPS mode validation. If you haven’t read our first two blog post on Security features . They are available below:

• Secure Password Hashing with SHA-2 Algorithms
• Richer SSL/TLS configuration options in PostgreSQL

PostgreSQL 18 introduces a subtle but powerful enhancement for security-conscious deployments: the ability to validate whether your database is running under FIPS-approved cryptography. This comes via the new pgcrypto OpenSSL support function for FIPS mode detection, helping organizations meet strict compliance requirements with ease.

FIPS meets PostgreSQL
We work with organizations that operate under increasingly strict compliance mandates, verifying the cryptographic modules used by your systems is no longer optional—it’s mandatory. Enter FIPS mode validation, a new capability in PostgreSQL 18’s pgcrypto extension, which allows administrators to programmatically verify whether PostgreSQL is running in FIPS-compliant mode.

This is a crucial step for any organization handling sensitive data, from government agencies to financial institutions.

What is FIPS?

FIPS stands for Federal Information Processing Standards, developed and maintained by NIST (U.S. National Institute of Standards and Technology).

Key points:

• FIPS 140-2 and the newer FIPS 140-3 define security requirements for cryptographic modules.
• “FIPS validated” means the cryptographic implementation has passed independent NIST-approved testing.
• Widely referenced in regulations such as PCI-DSS, HIPAA, and FedRAMP.
• Mandatory for U.S. federal agency systems and often adopted as best practice by financial institutions and critical infrastructure operators.

From a compliance standpoint, using only approved algorithms, modules and proving it is vital for audit readiness.

PostgreSQL and FIPS Compliance — The Backstory

Historically, PostgreSQL has depended on OpenSSL for SSL/TLS and cryptographic operations.
Even if the database was linked against a FIPS-capable OpenSSL library, administrators had no easy way to verify at runtime whether that library was actually running in FIPS mode.

PostgreSQL 18 changes that, giving DBAs and security teams a native SQL function to confirm FIPS mode status without leaving psql.

What does the documentation say?

pgcrypto provides functions to check OpenSSL configuration and status, including FIPS mode status.

#The new features
postgres=# SELECT fips_mode();
 fips_mode
-----------
 f
(1 row)

This returns a boolean indicating whether the underlying OpenSSL library PostgreSQL is using is currently operating in FIPS mode.

#Alter the pgcrypto's paramter to fips and reload the conf
postgres=# SHOW pgcrypto.builtin_crypto_enabled;
 pgcrypto.builtin_crypto_enabled
---------------------------------
 fips
(1 row)

pgcrypto.builtin_crypto_enabled determines if the built in crypto functions gen_salt(), and crypt() are available for use. Setting this to off disables these functions. on (the default) enables these functions to work normally. fips disables these functions if OpenSSL is detected to operate in FIPS mode.

Enabling FIPS Mode for PostgreSQL

• Ensure your OpenSSL library is a FIPS 140-validated module (like Red Hat’s FIPS builds).
• Configure your OS to enforce FIPS mode (e.g., fips=1 kernel flag on RHEL).

#Add fips in /etc/default/grub
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 nvme_core.io_timeout=4294967295 fips=1"

#Regenerate the GRUB config
grub2-mkconfig -o /boot/grub2/grub.cfg

#Reboot the system
sudo reboot

• Restart PostgreSQL so it loads the FIPS-enabled OpenSSL.
• Then use the openssl_fips() function to confirm.

postgres=# select fips_mode();
 fips_mode
-----------
 t
(1 row)

Why this matters: Compliance and assurance

• Audit-Friendly: With openssl_fips(), you can provide programmatic evidence during audits that your database is running with FIPS-approved cryptography.
• Defense-in-Depth: Ensures that all pgcrypto operations (e.g., encryption, hashing) are performed by a validated cryptographic module.
• Automation & CI/CD: Integrate this check into your deployment or monitoring pipelines to automatically flag non-compliant environments.

Limitations

• PostgreSQL itself is not FIPS certified; it relies on FIPS-validated OpenSSL libraries.
• You must deploy PostgreSQL on a FIPS-compliant OS or environment for full assurance.
• The fips_mode() function is a status check—not a toggle.

Final thoughts

FIPS Mode validation in PostgreSQL 18 is a small but powerful step toward greater cryptographic assurance and compliance readiness. By exposing this status in SQL, PostgreSQL becomes easier to integrate into your security and compliance workflows—bridging the gap between database administration and security auditing.

Next up in our security-focused series:
OAuth Authentication / Authorization

Stay tuned!!