Federal Information Processing Standards (FIPS)
FIPS mode is available for Datto SIRIS devices using FIPS 140-3, which is a security standard used by the U.S. and Canadian governments to ensure encryption in IT products is properly tested and approved. When a product passes validation, it receives a certificate listing the product name, version, and security assurance level ranging from level 1 to 4.
FIPS 140-3 certification is often required for U.S. federal agencies and contractors handling government data. It’s also widely adopted in other sectors where data protection is critical, such as healthcare, finance, and defense, to meet regulatory or customer security expectations.
Eligible local Datto devices will be FIPS 140-3 compliant when enabling the FIPS mode on the device. For more information on the security standards, please refer to: FIPS 140-3: Understanding the new security standard.
Environment
- Datto SIRIS 6 Desktop
- Datto SIRIS 6 Desktop SSD
- Datto SIRIS 6X
- Datto SIRIS 6 (2-8)
Description
FIPS mode is available for most Datto SIRIS 6 devices. This confirms the device and encrypted backups conform to the following (140-3) FIPS certificates:
Safelogic CryptoComply - Certificate #5040
Canonical Ubuntu 22.04 OpenSSL - Certificate #4794
Canonical Ubuntu 22.04 Kernel Crypto API - Certificate #4894
Datto Cloud will use the following (140-2) FIPS certificates:
Canonical Ubuntu 20.04 OpenSSL - Certificate #3966
Canonical Ubuntu 20.04 Kernel Crypto API - Certificate #4366
NOTE The backups will also need to use a FIPS compliant agent version.
Datto Windows Agent version: 3.0.18.20 or later
Datto Linux Agent version: 3.0.34.0 or later
Toggle FIPS Mode
To enable FIPS mode on a SIRIS 6 device, log into the Remote Web of the device, through the Partner Portal.
Select Configure, then Device Settings from the dropdown menu.
Navigate to FIPS mode in the side menu or by scrolling.
Toggle the switch to enable FIPS mode.
NOTE FIPS mode cannot be disabled once it has been enabled.
Once enabled, encrypted agents with a compatible agent version and OS will have the option to be added as FIPS mode backups. In addition, present encrypted agents with compatible agent versions will utilize the FIPS validated encryption libraries when FIPS mode is enabled on an appliance, allowing you to retain backup history for that agent and utilize the same encryption keys with the new FIPS validated cyphers. 
Limitations
The following features are not currently FIPS validated. They will be removed from this section as new updates are released, and they become covered.
ISCSI connections
- iSCSI shares
- Volume Restores
- iSCSI rollback
Hosted NAS shares
External NAS share backup
Datto Cloud replication
Hypervisor connections
- Agentless backup
- Virtualization vis Hypervisor
Considerations
Some restored data is provided over a secure channel to the user in unencrypted form. Organizations are responsible for handling restored data with appropriate security controls consistent with FIPS requirements.
BMR restores data in non-encrypted format. After restore, users must re-enable FIPS mode in Windows.
During local verifications, data will be decrypted and the restored system will be booted to verify the backup. To maintain strict FIPS 140-3 compliance, these features can be disabled.
- Screenshot verification
- Integrity verification
- Ransomware detection
Frequently Asked Questions
Can an unencrypted agent utilize FIPS mode?For an agent dataset to be FIPS validated it will need to be an encrypted backup. Encryption may only be enabled during pairing, so if you would like to encrypt a currently unencrypted agent, it will need to be archived or removed, then re-added to the device as an encrypted agent.
What is the difference between FIPS validated backups and normally encrypted agent backups?In addition to encrypting the datasets, the FIPS validated backups are backed up through an encrypted tunnel and comply with FIPS guidelines.
How do I disable the local verification for an agent?Both the screenshot verification and local verification may be disabled on an agent basis within the Remote Web. Information on these settings can be found in the verification section of Configure Agent / System Settings Page.
Do I need to create a new backup chain to utilize FIPS mode, if I already have existing encrypted agent?No, existing encrypted agents will utilize the FIPS validated encryption libraries when FIPS mode is enabled on an appliance, allowing you to retain backup history for that agent and utilize the same encryption keys with the FIPS validated cyphers. Check with your auditor on whether a new backup chain is mandatory to maintain strict FIPS compliance .If so, please note that the agent will need to be archived and re-added to the Datto device. For large base images, Datto recommends ordering a RoundTrip if the data will need to be synced offsite.
