I'm attempting to set my Microsoft SQL 2014 instance to use FIPS 140-2 complaint encryption as described in this KB article for SQL 2012, but it does not appear to be working. I do not see "FIPS" anywhere in the SQL service error logs. I set the FIPS option using the local security policy System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms.
As an aside, I tried setting the same policy via GPO security policy, but the security option did not change the computer's registry key of The GPO security policy did apply after two reboots.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled even though GPresults showed it being applied. I don't know if that's a hint or just another oddity.
I know Microsoft has come out recently about FIPS not being a necessity, but I need to be able to test an app soup-to-nuts with FIPS enabled on the DB.
Any ideas on how to force FIPS on the SQL instance?
Best Answer
Per the MS Article you reference, SQL Uses OS Crypto constraints (via SCHANNEL) therefore if you enabled it at the OS level, then you have enforced it at the DB Level as well.
Just to prove the point, if you disable SSL3 and TLS 1.0 (for SCHANNEL) on a server running SQL 2008 R2 and reboot, SQL will not start.