Federal Information Processing Standards (FIPS)
FIPS mode is available for Datto SIRIS devices using FIPS 140-3, a security standard adopted by the US and Canadian governments to ensure that encryption in IT products is properly tested and approved. When a product passes validation, it receives a certificate listing the product name, version, and security assurance level, which ranges from level 1 to level 4.
FIPS 140-3 certification is often required for US federal agencies and contractors handling government data. It’s also widely adopted in other sectors where data protection is critical, such as healthcare, finance, and defense, to meet regulatory or customer security expectations.
Eligible local Datto SIRIS devices will be FIPS 140-3 compliant when enabling the FIPS mode on the device. For more information on the security standards, please refer to: FIPS 140-3: Understanding the new security standard.
Environment
- Datto SIRIS 6 Desktop
- Datto SIRIS 6 Desktop SSD
- Datto SIRIS 6X
- Datto SIRIS 6 (2-8)
Description
FIPS mode is available for most Datto SIRIS 6 devices. This confirms the device and encrypted backups conform to the following (140-3) FIPS certificates:
- Safelogic CryptoComply - Certificate #5040
- Canonical Ubuntu 22.04 OpenSSL - Certificate #4794
- Canonical Ubuntu 22.04 Kernel Crypto API - Certificate #4894
Datto Cloud will use the following (140-2) FIPS certificates:
- Canonical Ubuntu 20.04 OpenSSL - Certificate #3966
- Canonical Ubuntu 20.04 Kernel Crypto API - Certificate #4366
NOTE The backups must use a FIPS-compliant agent version.
Datto Windows Agent version: 3.0.18.20 or later
Datto Linux Agent version: 3.0.34.0 or later
To enable FIPS mode on a compatible device, contact support.
Limitations
The following features are not currently FIPS-validated. They will be removed from this section as new updates are released, and they become covered.
- iSCSI connections
- iSCSI shares
- Volume Restores
- iSCSI rollback
- Hosted NAS shares
- External NAS share backup
- Hypervisor connections
- Agentless backup
- Virtualization with Hypervisor
- Hybrid Virtualizations
Considerations
- Some restored data is provided over a secure channel to the user in unencrypted form. Organizations are responsible for handling restored data with appropriate security controls consistent with FIPS requirements.
- Bare Metal Restore (BMR) restores data in non-encrypted format. After restore, users must re-enable FIPS mode in Windows.
- During local verifications, data will be decrypted and the restored system will be booted to verify the backup. To maintain strict FIPS 140-3 compliance, these features can be disabled.
- Screenshot verification
- Integrity verification
- Ransomware detection
- The Datto cloud supports 140-2 standards. If FIPS 140-3 is required, cloud replication may be disabled.
Frequently Asked Questions
Can an unencrypted agent utilize FIPS mode?For an agent dataset to be FIPS-validated, it will need to be an encrypted backup. Encryption may only be enabled during pairing, so if you would like to encrypt a currently unencrypted agent, it will need to be archived or removed, then re-added to the device as an encrypted agent.
What is the difference between FIPS validated backups and normally encrypted agent backups?In addition to encrypting the datasets, FIPS-validated backups are transmitted through an encrypted tunnel and comply with FIPS guidelines.
How do I disable the local verification for an agent?Both the screenshot verification and local verification may be disabled on an agent basis within the Remote Web. Information on these settings can be found in the verification section of Configure Agent / System Settings Page.
