.. hsm2-option-fips-guide.rst

.. _hsm2-option-fips-guide-label:

=========================
Set FIPS Mode
=========================

.. Note::
  This guide only applies to YubiHSM 2 FIPS devices.

Retrieve FIPS Mode Status
==========================

To check the mode of operation, use the ``Get Option`` command.

.. code-block:: bash

   $ yubihsm-shell -a get-option --opt-name fips-mode

The return value would be ``00`` or ``01``, where-

``01`` return code indicates that FIPS approved mode is ON.

``00`` return code indicates the FIPS approved mode is OFF.


Putting YubiHSM 2 into FIPS Mode
================================

To put the YubiHSM 2 into the FIPS Approved mode of operation:

1. Use the ``Set Option`` command as follows:

   .. code-block:: bash

      $ yubihsm-shell -a put-option --opt-name fips-mode --opt-value 01

2. Import new Authentication Keys to replace the default values.


Taking YubiHSM 2 out of FIPS Mode
=================================

To disable FIPS approved mode on the YubiHSM 2:

1. Delete all objects on the YubiHSM 2 or do a factory reset.

2. Use the ``Set Option`` command as follows:

   .. code-block:: bash

      $ yubihsm-shell -a put-option --opt-name fips-mode --opt-value 00